Absolute Gadget - 200810071752 | Oyster card hack details published | Automotive

Home

News

Automotive

Oyster card hack details published

Written by Rene Millman

Tuesday, 07 October 2008

Fears are mounting that criminals could soon be swamping the London Underground network with fake Oyster cards as an injunction by the company behind the smartcards failed to prevent publication of a security vulnerability in the chip at the core of the technology.

The problem lies in the encryption used in the Mifare RFID chip, which is found in over two billion RFID cards globally. It was found that it was fairly easy to work out the encryption using a special reader, a computer and around ten mintues to guess a key.

The document detailing the hack was released at the European Symposium on Research in Computer Security (Esorics) 2008 security conference held in Spain following a delay of seven months. The document's author, Professor Bart Jacobs of the Radboud University in Holland, said that the report was "not a guidebook for hackers."

NXP Semiconductors said in a statememt that "it regrets that the Radboud University Nijmegen has revealed just yet details of the protocol and the algorithm of MIFARE Classic as well as some practical attacks on MIFARE Classic infrastructures to a broad public".

The research paper that was due to be published in March 2008, but delayed after NXP Semiconductors attempted to mount a court injunction against its publication. This was after it was informed of the hack by the university researchers.

Transport for London said that it had known about the hack before the researchers told them and had been in the process of making improvements to the Oyster Card system anyway.

Shashi Verma, Director of Fares and Ticketing at Transport for London, told the BBC that the organisation was already aware of the problem, and simply copying the card would not be enough.

"We knew about it before we were informed by the students. A number of forensic controls run within the back office systems which is something that customers and these students have no ability to touch."

However security experts fear that criminals will have already subverted the system for free travel across London. However, a more robust system, dubbed Mifare Plus, uses the more secure Advanced Encryption Scheme (AES) which should be more effective against hackers.

UPDATE: TfL ANSWERS OYSTER CONCERNS

Related Oyster news

Parrot launches first NFC speaker system
O2 and London Transport announce O2 Wallet trial
Pay for your tube journey with your mobile phone
Gadget travel doubles its outlets
Gadget travel halts tube ticket sales

Tag it:

The Newsletter

For the latest gadget news and reviews straight to your inbox, subscribe now!

Top 10 Xbox NXE dashboard tips and tricks

With the NXe update creating a stir among Xbox addicts, we thought it was time to share our top 10 list of new things that can be done with the New Xbox Experience (NXE), with a bit of help from Major Nelson.

How to add NXE avatars to old Live Arcade games

With the release of the new Xbox 360 dashboard update (the so-called New Xbox Experience of NXE) comes the appearance of Mii-like avatars. While new titles should support them straight away, getting old titles to work with the new feature takes some effort. Here's a quick guide to getting the most out of these avatars.

Top 10 iPhone games

When the iPhone was finally opened up to third party developers who would have thought that this would lead to it looking like a rival to the Nintendo DS or Sony PSP. We look at the top 10 games you can download for the iPhone.

Comment: NY Wi-Fi

Forget Where’s Wally? (or Where’s Waldo? as they ask in the US and Canada). The question we’ve been asking since we touched down at JFK is where’s Wi-Fi..?