Oyster card

oyster_travelcard.jpgFears are mounting that criminals could soon be swamping the London Underground network with fake Oyster cards
as an injunction by the company behind the smartcards failed to prevent
publication of a security vulnerability in the chip at the core of the
technology.

 


The problem lies in the encryption used in the
Mifare RFID chip, which is found in over two billion RFID cards
globally. It was found that it was fairly easy to work out the
encryption using a special reader, a computer and around
ten mintues to guess a key.

The document detailing the hack
was released at the European Symposium on Research in Computer Security
(Esorics) 2008

security conference held in Spain following a delay of
seven months. The document’s author, Professor Bart Jacobs of the
Radboud University in Holland, said that the report was "not a guidebook
for hackers."

NXP Semiconductors
said in a statememt that "it regrets that the Radboud University
Nijmegen has revealed just yet details of the protocol and the
algorithm of MIFARE Classic as well as some practical attacks on MIFARE
Classic infrastructures to a broad public".

The research paper
that was due to be published in March 2008, but delayed after NXP
Semiconductors attempted to mount a court injunction against its
publication. This was after it was informed of the hack by the
university researchers.

Transport for London said that it had
known about the hack before the researchers told them and had been in
the process of making improvements to the Oyster Card system anyway.

Shashi Verma, Director of Fares and Ticketing at Transport for London, told the BBC that the organisation was already aware of the problem, and simply copying the card would not be enough.

"We
knew about it before we were informed by the students. A number of
forensic controls run within the back office systems which is something
that customers and these students have no ability to touch."

However security experts fear that criminals will have already
subverted the system for free travel across London. However, a more
robust system, dubbed Mifare Plus, uses the more secure Advanced
Encryption Scheme (AES) which should be more effective against hackers.

UPDATE: TfL ANSWERS OYSTER CONCERNS

Related Oyster news

 Parrot launches first NFC speaker system


O2 and London Transport announce O2 Wallet trial


Pay for your tube journey with your mobile phone


Gadget travel doubles its outlets


Gadget travel halts tube ticket sales