Londoners: Oyster Card’s chip can be hacked for info – interesting

When I was in London recently, I used my Oyster Card all the time.  Very handy.

I read this story and pass it along to my new and old friends in London.

Oyster card hack details revealed
By Peter Price
Click reporter

Oyster card on Tube map, Getty

The Oyster card is used on London’s travel network.

Details of how to hack one of the world’s most popular smartcards have been published online.

The research by Professor Bart Jacobs and colleagues at Radboud University in Holland reveals a weakness in the widely used Mifare Classic RFID chip.

This is used in building entry systems and is embedded in the Oyster card used on London’s transport network.

Publication of the research was delayed by legal action taken by the chip’s manufacturer.

Paper chase

Prof Jacobs and his team first identified the vulnerability in a research paper that was due to be published in March 2008.

However, the release of the article was delayed after chip manufacturer NXP attempted to secure a court injunction against its publication.

The paper was finally released on Monday at the European Symposium on Research in Computer Security (Esorics) 2008 security conference held in Malaga, Spain.

Sensitive data stored on the Mifare Classic chip is protected by a unique number that acts as a key. When the chip, or a card bearing it, is placed near a reader it transmits and receives information based on its key. The security of the system depends on the key remaining secret.

In March Prof Jacobs and his colleagues discovered a flaw in the chip’s design which makes those keys easy to calculate and copy.

"Once we knew how the system worked and what the vulnerabilities were, it turned out to be very simple to actually clone cards, steal someone’s identity and enter a building as someone else", he said.

London Underground sign, BBC

The researchers travelled on the Tube using cloned cards

After making the discovery the researchers informed the Dutch government and the chip’s manufacturer, NXP.

When it knew about the research NXP moved to delay publication by seeking an injunction.

Steve Owen, vice president of sales and marketing – identification at NXP Semiconductors, told the BBC’s Click programme that it was motivated to take legal action to give its customers time to update their systems.

"We sought the injunction to cause a delay, not to completely stop the publication," he said.

Mr Owen recommends that the card alone should not be relied upon for secure access to buildings.

"We do not recommend the use of Mifare Classic for new installations," said Mr Owen. "We are working with customers to review their security."

Spot check

The Mifare Classic is widely used on many public transport systems including the Oyster card in London. The researchers say their security flaw can be used to copy cards. They claim to have even been able to adjust the amount of credit stored on a pre-pay card.

Earlier this year members of Prof Jacobs’s team visited London to test their findings, travelling on the London Underground using a modified Oyster card.

Shashi Verma, director of fares and ticketing at Transport For London, told the BBC its system spotted the security breach.

"We knew about it before we were informed by the students," said Mr Verma

He stressed that the Mifare Classic chip in the Oyster card is only part of a larger system. "A number of forensic controls run within the back office systems which is something that customers and these students have no ability to touch."

"We will carry on making improvements to the security of the Oyster system."

Speaking in July, security expert Bruce Schneier said: "As bad as the damage is from publishing – and there probably will be some – the damage is much, much worse by not disclosing."

Mr Schneier said it was a "dangerous assumption" to think that the researchers were the only ones that knew about weaknesses with Mifare.

"Assume organised crime knows about this, assume they will be selling it anyway," he said.

Commenting on the publication of their research, Prof Jacobs told Click the information being disclosed was: "not a guidebook for attacks".

This report will be broadcast in this week’s edition of Click on Saturday 11 October at 1130 BST on the BBC News Channel. It will also air on BBC World – check here for transmission times.


Also check this from Engadget:

Oyster Card RFID hack gets detailed

The vulnerability of cards based on the Mifare Classic RFID chip (like the Oyster Card used for the London Underground) has been known for some time now but, unsurprisingly, some pesky legal business has prevented the complete details from being published. That has now finally been cleared up, however, and Professor Bart Jacobs and his colleagues from Radboud University have promptly published their complete paper online. What’s more, NXP Semiconductors, makers of the Mifare chip, are also now commenting on the matter, and saying that it never intended to completely stop publication of the research, but rather that it simply wanted to give customers time to update their systems. NXP’s Steve Owen also adds that the company now doesn’t "recommend the use of Mifare Classic for new installations," and that it’s "working with customers to review their security." Those looking to dig in can find the paper at the link below and, in case you missed it the first time around, there’s a video explaining the basics after the break.

[Via BBC Click]

Here is a video:


About Fr. John Zuhlsdorf

Fr. Z is the guy who runs this blog. o{]:¬)
This entry was posted in SESSIUNCULA. Bookmark the permalink.


  1. josephus muris saliensis says:

    In respect of London Transport (I cannot speak for other security systems) it is not obligatory to register actual personal details, and the card can be registered in an alias name (like an on-line identity, for instance) so that your retain some protection of your funds in case you lose it, but the personal information contained cannot lead back too you.

    This of course must not be done by Catholics with fraudulent intent.

  2. I hear that the chips in US passports can be hacked as well.
    You can find videos of how to hack credit cards with RF chips in them just by buying a simple creditcard Point of Sale decoder off of ebay.

    Putting all that info on chips is rather foolish in terms of privacy.

  3. Howard says:

    I hope they still can’t hack the alien implant in my sinus cavity! :-)

  4. bryan says:

    Any sufficiently advanced technology is indistinguishable from magic.

    As a practitioner of data/network/information security for, oh, 20 years, I can state with some certainty that, given enough time and incentive (and it always comes down to financial incentive) ANY technology is insecure, either by design or mistake. There’s just too many variables to consider and program against; the more complicated the system, the easier it is. That’s why I’ll never have to worry about finding work. There’s always something to fix in either the architecture, coding, or execution of processes that depend on information technology, storage, or transmission.

    Remember, nature always sides with the hidden flaw. No, I’m not a luddite. Just very cynical when I hear of the blandishments of authorities in stating that they’re taking all possible precautions to protect information. The constant stream of events that show up in both the MSM and trades prove otherwise.

  5. Mac McLernon says:

    I’ll echo Josephus’ comment – my oyster card is completely unregistered and I only load small amounts of cash when I need to travel.

    I made that decision when I decided that I didn’t want my every journey on public transport logged…

    Having said that, the UK (and particularly London) is so stuffed with CCTV that you’re pretty much under constant surveillance anyway!

Comments are closed.