When I was in London recently, I used my Oyster Card all the time. Very handy.
I read this story and pass it along to my new and old friends in London.
Oyster card hack details revealed
By Peter Price
The Oyster card is used on London’s travel network.
Details of how to hack one of the world’s most popular smartcards have been published online.
The research by Professor Bart Jacobs and colleagues at Radboud University in Holland reveals a weakness in the widely used Mifare Classic RFID chip.
This is used in building entry systems and is embedded in the Oyster card used on London’s transport network.
Publication of the research was delayed by legal action taken by the chip’s manufacturer.
Prof Jacobs and his team first identified the vulnerability in a research paper that was due to be published in March 2008.
However, the release of the article was delayed after chip manufacturer NXP attempted to secure a court injunction against its publication.
The paper was finally released on Monday at the European Symposium on Research in Computer Security (Esorics) 2008 security conference held in Malaga, Spain.
Sensitive data stored on the Mifare Classic chip is protected by a unique number that acts as a key. When the chip, or a card bearing it, is placed near a reader it transmits and receives information based on its key. The security of the system depends on the key remaining secret.
In March Prof Jacobs and his colleagues discovered a flaw in the chip’s design which makes those keys easy to calculate and copy.
"Once we knew how the system worked and what the vulnerabilities were, it turned out to be very simple to actually clone cards, steal someone’s identity and enter a building as someone else", he said.
The researchers travelled on the Tube using cloned cards
After making the discovery the researchers informed the Dutch government and the chip’s manufacturer, NXP.
When it knew about the research NXP moved to delay publication by seeking an injunction.
Steve Owen, vice president of sales and marketing – identification at NXP Semiconductors, told the BBC’s Click programme that it was motivated to take legal action to give its customers time to update their systems.
"We sought the injunction to cause a delay, not to completely stop the publication," he said.
Mr Owen recommends that the card alone should not be relied upon for secure access to buildings.
"We do not recommend the use of Mifare Classic for new installations," said Mr Owen. "We are working with customers to review their security."
The Mifare Classic is widely used on many public transport systems including the Oyster card in London. The researchers say their security flaw can be used to copy cards. They claim to have even been able to adjust the amount of credit stored on a pre-pay card.
Earlier this year members of Prof Jacobs’s team visited London to test their findings, travelling on the London Underground using a modified Oyster card.
Shashi Verma, director of fares and ticketing at Transport For London, told the BBC its system spotted the security breach.
"We knew about it before we were informed by the students," said Mr Verma
He stressed that the Mifare Classic chip in the Oyster card is only part of a larger system. "A number of forensic controls run within the back office systems which is something that customers and these students have no ability to touch."
"We will carry on making improvements to the security of the Oyster system."
Speaking in July, security expert Bruce Schneier said: "As bad as the damage is from publishing – and there probably will be some – the damage is much, much worse by not disclosing."
Mr Schneier said it was a "dangerous assumption" to think that the researchers were the only ones that knew about weaknesses with Mifare.
"Assume organised crime knows about this, assume they will be selling it anyway," he said.
Commenting on the publication of their research, Prof Jacobs told Click the information being disclosed was: "not a guidebook for attacks".
This report will be broadcast in this week’s edition of Click on Saturday 11 October at 1130 BST on the BBC News Channel. It will also air on BBC World – check here for transmission times.
Also check this from Engadget:
Oyster Card RFID hack gets detailed
The vulnerability of cards based on the Mifare Classic RFID chip (like the Oyster Card used for the London Underground) has been known for some time now but, unsurprisingly, some pesky legal business has prevented the complete details from being published. That has now finally been cleared up, however, and Professor Bart Jacobs and his colleagues from Radboud University have promptly published their complete paper online. What’s more, NXP Semiconductors, makers of the Mifare chip, are also now commenting on the matter, and saying that it never intended to completely stop publication of the research, but rather that it simply wanted to give customers time to update their systems. NXP’s Steve Owen also adds that the company now doesn’t "recommend the use of Mifare Classic for new installations," and that it’s "working with customers to review their security." Those looking to dig in can find the paper at the link below and, in case you missed it the first time around, there’s a video explaining the basics after the break.
[Via BBC Click]
Here is a video: