From YobiWiki
Jump to navigation Jump to search

See also RFID


  • STIB site about MOBIB (MIVB)
  • ASK, the card manufacturer
  • Press releases
  • On wikipedia:
    • Calypso, see also here
    • MoBIB (fr)
    • Passe Navigo (fr) is not fully ISO14443-B compliant (Innovatron "standard", also referred as type B') so without proper reader it can be accessed only via contacts. Mobib readers cannot read Navigo pass, so no compatibility whatsoever with the anonymous Navigo card, sigh.



  • UCL software to read Mobib cards (mobib extractor) seems to not be available anymore, but there is still a copy here
  • SpringCard offers a SDK with a Calypso explorer for Windows and its sources, find here the SDK PC/SC for Calypso. See also their blog post
  • An article from P. Gueulle describes a program in Basic to dump the memory content of a Calypso card
  • Cardpeek is a Linux tool to read the contents of ISO7816 smartcards. It features a GTK GUI to represent card data is a tree view, and is expandable with a scripting language (LUA). The tool currently reads the contents of: EMV cards, Navigo public transport cards, Moneo ePurse cards and the French health card "Vitale 2"
  • you may try Edouard Lafargue's tool
  • UCL researchers wrote a nice article (in French) in MISC Mag #48 on how to read a Navigo card, see pages 74-82


Under Belgian law of 28 november 2000 relative to computer/cyber criminality, is punishable the one, knowing he was not allowed to do so, accesses a computing system.
Without exception for academic security research.
Without need for demonstrating an intention of bad behavior.
Without need for demonstrating an intention of getting financial benefit (=fraud).
The sole intention to access the computing system is also punishable.

And, oh, btw, apparently your Mobib is not yours, it's STIB property.
Now, don't say I didn't warn you.

As pointed out on this blog, this may explain why UCL researchers removed their tool from their website, as it's hard to write such a tool without reading any Mobib and considering who owns the transport card company and who subsides the university... Sound a bit like a conspiracy, but we can't say for sure.

So this is how you can deploy a privacy-savvy technology in Belgium: no technical protection whatsoever required as there is already a law prohibiting to read the unprotected data. And you won't be blamed as anyone demonstrating publicly that your technology is a privacy nightmare is committing a crime.
Quod erat demonstrandum.