Oyster card hack research published

Oyster card hack research published

Dutch scientists have finally published a research paper outlining security flaws found in the Mifare chips used in Transport for London's Oyster smart cards.

In March professor Bart Jacobs and colleagues from Radboud University said they had discovered a serious security flaw in NXP's Mifare Classic chips, which are used in contactless transit systems around the world.

The discovered flaw relates to an encryption algorithm. The researchers said there is a "relatively easy" method to retrieve cryptographic keys, which does not rely on expensive equipment.

The researchers informed the Dutch government and manufacturer NXP of their findings and sent the article detailing the findings to NXP in June so the firm could ask for legal opinion.

However in July NXP sought an injunction against Jacobs and Radboud University in order to prevent publication of the article on how to hack the chip.

But the judge ruled in the university's favour, paving the way for the paper to be published yesterday at the European Symposium on Research in Computer Security (Esorics) 2008 security conference in Malaga, Spain.

In June the researchers used a commercial laptop to reverse the algorithmic code of the chip. They then cloned a swipe card and accessed a Dutch public building before moving onto London and carrying out the same process with an Oyster card and travelling on the underground for the day before restoring its balance. The team is also thought to have managed to carry out a denial of service attack on a tube gate.

Boston's Charlie card system also employs the Mifare chip. Earlier this year Massachusetts Institute of Technology (MIT) students Zack Anderson, Russell Ryan and Alessandro Chiesa were prevented from discussing security vulnerabilities found in the Charlie system when the Massachusetts Bay Transit Authority (MBTA) secured an emergency injunction against them.

The MBTA lawsuit claimed that the disclosure of the information would violate the Computer Fraud and Abuse Act (CFAA) by enabling others to defraud the MBTA of transit fares.

However, in August US District Judge George O'Toole later lifted the order and rejected a request by the MBTA to impose a five month injunction on the students.

But although the order was lifted, the MBTA's lawsuit against the students continues.

Comments: (0)