XPress ID: Customizable RFID Wristbands
When I was rushing Alpha Kappa Psi, a co-ed professional business fraternity, during my freshman year, I joined the "entrepreneurial" track where we would come up with a startup idea and pitch it. At Hopkins, to get into any building and many rooms, we have to use our J-Cards which have RFID tags built into them. We simply tap our J-Cards onto any RFID reader and the doors/turnstile will open.
While we were sitting in the library near the entrance, we noticed that so many people keep their J-Cards in their wallets or backpacks. Many girls, especially, don't have pockets so they have to keep their J-Cards in their bags. So whenever they want to get into any building, like the library, they have to do an awkward thing where they get up to the turnstile, stop in front of it, and then search through their bag to grab their J-Card, swipe it, and then hurriedly put their J-Card back into their bags.
This sounds like a minor inconvenience, but since we have to get into many buildings everyday, the number of times we have to do this awkward shuffle adds up.
We wanted to come up with a solution that's comfortable, faster at verifying identification, and complements people's aesthetic.
After visiting Disney Land, I realized that this park had come up with a great ID solution that can be applied to schools and offices.
When you visit any Disney Theme Park, they hand you a Disney "MagicBand" which hold your identification and money on them. To get into the park, hotel room, some rides, and to pay for food you just bring your MagicBand up to the glowing Mickey Mouse sign. Easy as that. This seemed like a great solution for colleges so that students don't have to reach into their bags or pockets every time they wanted to get into a building. Instead, they can keep these wristbands on their wrists at all times and just move their band to the reader to get into the building or pay for their meals.
Further, this would decrease loss and theft of J-Cards. A surprising number of students lose their J-Cards. It seems like daily I could browse the Hopkins Lost and Found page and see someone looking for their lost J-Card or someone who found someone else's J-Card. If their ID came in a a wristband form factor instead, I think people would lose it a lot less often.
Although we could have just bought existing RFID wristbands, I wanted them to be customizable to add some flair. The wristbands I designed are above. If you own a Fitbit Alta, you might notice that those wristbands are actually the same exact ones you can use with a Fitbit Alta. The wristband portions are interchangeable as well as the "faceplates" of the bands so that people can choose the design that they like.
We named these bands XPress IDs because they express the ID verification process and they allow users to express themselves through customizable designs. Because these were for the Hopkins market, the designs I created are Hopkins-oriented.
Attempt at Reverse Engineering:
Of course, this would be very boring if it was just a design without the bands actually working with Hopkins' identification system. There were two ways I could go about getting this to work: hacking my existing J-Card and cloning it OR "social engineering" with the J-Card office.
I briefly looked into seeing if I could easily clone my existing J-Card. To do this, I downloaded an app to look at the technology behind the cards.
What was important to see was the IC Type. It's a Sony IC called FeliCa RC-S962 series. These cards are pretty secure because they have encryption keys that are dynamically generated every time the card is authenticated. Since these cards change their key every time it's swiped, it's very difficult to hack (and might not be legal).
I gave up on trying to clone these keys, but if you decide to do it, you can buy these FeliCa RC-S962 cards for $6.00 each.
You will also need the Sony FeliCa SDK for NFC which can be found here. Instead of trying to clone these keys via reverse engineering them, I decided to try social engineering. To my surprise, it was very easy to do this and here's a video of my wristband working with Hopkins's RFID readers:
Here's Our Pitch Deck - https://docs.google.com/presentation/d/1DU6zM34SM3i-dn66XBvTSO38imMQ7ns4ETR9VcO_chM/edit?usp=sharing
My friends and I used this pitch deck when we presented our project to the brothers of our business fraternity.
Apparently, we were right in believing that J-Cards were a huge first-world inconvenience for students and faculty alike. Two and a half years after this project, Hopkins announced that they are the fifth university in the world to adopt using the Apple Wallet app as an electronic form of identification and payments.
More about this here: https://hub.jhu.edu/2019/03/28/apple-wallet-homewood-campus-ids/
They even made a corny video about this: