While I was in Japan over winter, one thing that stood out to me was the incredible public transport system. Efficient and reliable, as expected, but the tap-in-tap-out gates at the stations were suspiciously fast. The London Underground gates don't work nearly as quick with Google Pay or any of my other contactless cards - what gives? I spent some time researching what makes Japan's transit card system (IC cards) so unique compared to the West, and all of the interesting bits I learned along the way.

Basics of NFC

Near-field communication is a set of protocols which lets two devices communicate with each other without physically touching, using radio waves at 13.56 MHz (defined by ISO/IEC 14443). It's used all over the place:

• When you use a contactless debit card, Apple Pay, or Google Pay, you are using EMV, standing for Europay, Mastercard, Visa (archive), operating over ISO/IEC 14443.
• When you tap into a station on the London Underground using an Oyster card, your card uses MIFARE DESFire to communicate with the gate reader (but if you are using a payment card, it uses EMV instead). Note that the Underground originally used MIFARE Classic, but "the security...is terrible" (archive) , resulting in the cards being trivial to clone, defeating its security.
• Access control systems (archive) for buildings, doors, etc. tend to use MIFARE Classic. Places like your office building, your gym, etc.

Wait... didn't you just say that the security of MIFARE Classic is terrible? Someone could clone my keycard - or worse yet, get into my (whatever) without even needing a keycard?

Yes, and it's worse than you think. That's why it's considered legacy, and fortunately nothing security-critical really uses MIFARE Classic anymore. I mean, you're not worried about someone breaking into your hotel room, right?

What's interesting about Japan (and Asia in general) is that they have their own type of NFC which basically does not exist in the West: FeliCa, a standard developed by Sony, officially classified as NFC type F (as opposed to MIFARE, which is type A). In fact, FeliCa came first, being developed in 1988; as opposed to Philips' (now NXP) MIFARE which was introduced in 1994. FeliCa started getting widespread adoption initially not in Japan, but in Hong Kong, through its public transport Octopus cards in 1997 - only later did JR East adopt FeliCa for its Suica transit cards in November 2001, and Rakuten started using FeliCa for its Edy cards (the name reminds me of something...). After that, a bunch of Asian countries adopted it, like Vietnam and Bangladesh. They fill the same niche in those countries as they do in Japan: contactless prepaid cards and transit tickets.

Places like Hong Kong and Tokyo have a lot of commuters, leading to a lot of congestion around station gates. Sony realised this, and invested heavily into the performance of their technology - FeliCa cards boast an advertised communication speed of up to 424kbps, making a noticeable improvement in gate processing speeds compared to Western counterparts. Compare the speed of passing through a ticket gate on the Underground to a Tokyo ticket gate (part of this HN discussion) - you could practically sprint through. This is partly achieved by the fact that transactions only involve the card and the reader itself - the reader doesn't talk to an external server to perform a transaction. This makes IC cards stored-value cards - as in, they store the value on themselves, rather than their value being stored on the backend where it's controlled fully by the operator. The card also stores a history of recent transactions, and you can use any NFC reader to read this, even from your phone. But this stored-value model raises some interesting points about security... we'll get back to that 🤔

These cards also come with some extra quality-of-life stuff, like conflict avoidance - a reader can detect when it's reading more than 1 FeliCa card at a time, and prevent any reading if so:

As an aside, how the hell does Philips get an 8 year head start, and still design a card which is both slower than and less secure than FeliCa? I don't know if it's negligence, cost-cutting, or something else, but this leads to real security issues in the real world! Security through obscurity does not work.

Osaifu-Keitai

Osaifu-Keitai (saifu, "wallet"; keitai, "mobile") is a system to let you use your phone as an IC card, emulating a Suica, Pasmo, or whatever else. Over the years there has been some confusion about the relationship between FeliCa, IC cards, Osaifu-Keitai, and how this relates to Apple and Google's phones. When I first started reading about this topic this all went over my head as well, but I've tried to gather my findings here for future reference. A lot of this is thanks to FelicaDude (Reddit, Twitter), an anonymous internet stranger who disappeared a few years ago but seems to have a lot of knowledge about how FeliCa works. I can't verify any of this information, but it makes sense to me; and anyway, there's no way someone would lie on the internet, right?

Modern smartphones have NFC hardware. In order for a phone to be certified as NFC-capable, it must support NFC-A, NFC-B, and NFC-F (FeliCa). All phones which support NFC support FeliCa. Using NFC-F, you can use your phone to interact with an existing, physical IC card that you have in your possession. Using an app like Suikakeibo, you can do exactly this - here's a screenshot from my Xiaomi Redmi Note 13 Pro where I tap my PASMO card and read out its stored value and transaction history:

However, NFC-F support is not enough to use your phone as an IC card. Instead, this requires Osaifu-Keitai support. Osaifu-Keitai was originally developed by NTT Docomo as a feature for feature phones, letting you use your phone to make calls and act as an IC card. Later, this was integrated into smartphones by taking advantage of secure elements already present on the phone for other functions which require securely storing cryptographic keys (Apple Pay, Google Pay, biometric unlock). Modern phones have the necessary hardware to act as an IC card, but the secure element probably doesn't have the necessary keys. Phone vendors (Apple, Google) probably pay FeliCa Networks for each key they generate and put on a device (licensing or something). Since there's no point in generating keys for a device which will not be used in Japan, non-Japan SKUs don't have Osaifu-Keitai functionality. So even if you rooted your phone and had full access to the secure element, if your phone's secure element doesn't have the key, you can't use it as an IC card.

Security

When I first read about the fact that the card stores its value on itself, I immediately thought, there's no way this is safe right? After further reading, I think that these cards are actually incredibly secure, and I'm kind of shocked how well it's stood the test of time (from 1988 btw!!!) - seriously a testament to how well you can do something if you plan it out right from the start and don't pretend that obscurity is security then try to sue people who point out how shitty your system is. I could find barely any info on successful attacks on FeliCa outside of a single paper detailing a bug exploited by a cashier, which was caught anyway by audit logs and HK Octopus cards' clearing house system. The only real concern I've seen brought up is the fact that the crypto is proprietary, and probably buried underneath a mountain of NDAs, so the public can't audit it independently.

Generally speaking, IC cards are immune from:

• cloning (can't read the keys)
• a successful attack on another card (each card has its own keys)
• replay attacks (per-session unique keys are generated in the challenge/response)

One possible attack vector would be exploiting Apple's IC card implementation. If an iPhone can emulate an IC card, then there's code somewhere on the system that can perform the necessary handshakes, right? However, the keys for this handshake are stored in the Secure Enclave. You're only getting into the SE if you are Mossad, NGO Group, or another scary three-letter agency; and if you do manage that:

• you can do much more than spoof a Japanese transit card
• you are probably about to make millions in your denomination of choice, either by being hired or by selling a zero-day
• your lifespan has been dramatically shortened

The only other attack vector is the reader itself. Card charging machines and station gates may be viable to some kind of attack, but even if you could pull one off, they (probably) send transaction logs to a central audit server somewhere, and your misdeeds will be easily flagged as an anomaly. This is exactly what happened in the paper linked above. Once your card has been flagged, its ID is probably added to a hotlist which is synced across all reader terminals under the operator's control, and if the reader detects a card on its hotlist, it immediately rejects the transaction. If you're lucky, it might even call over some law enforcement. Reader devices have limited space in this hotlist, so maybe you could generate millions of flagged cards, fill up the hotlists, then use one of your original/later flagged cards without being blocked? I'm just spitballing at this point, I have no clue how this might work. But it's an interesting idea nonetheless.

Offline terminals, however, are a different story: something like a vending machine is not usually maintained by the card operator, but by a 3rd party who uses the operator's IC card reader. These kinds of machines are likely not networked, do not sync hotlists, and do not send audit logs - a viable attack vector! Unfortunately due to geometrical issues, I am unable to bring a vending machine back home with me, so I can't investigate this.

Future ideas

After researching FeliCa for a while, I've come up with some future ideas where I can take my thoughts.

I want to build out the software for a miniature version of a train station network. The entire software stack, from the gate-level (embedded microcontroller programming), to the station controller (maybe explore something to do with a CAN bus to connect multiple gates to a single station), all the way up to a control plane which tracks journeys across stations, and provides an audit log of transactions. Obviously this would never be something intended to be used in a real transit system, but it sounds like a fun hobby project 😁

Apart from that, maybe research why exactly FeliCa is so much faster than its competition for NFC communication. What's the physics behind it? Is there room to improve the speed, and get sub-100ms taps? This is nowhere close to my area of expertise, but if someone with relevant knowledge in this field could share their insight or write their own post, I'm sure that would be an interesting read!

I'm happy with what I've learned about FeliCa. I am not at all an expert in NFC, mobile payment systems, cryptography, or cyber security, but I've at least been able to get a glimpse into this unusual world. I wonder if I'll be able to ever apply this knowledge anywhere.