Oyster card hack will be revealed

News by Joy Persaud

Details of how Oyster cards used on London Underground and buses were cloned will be made public.

Details of how Oyster cards used on London Underground and buses were cloned will be made public.

Dutch researchers, who had been prevented from revealing their findings through the imposition of an injunction by manufacturer NXP, are delighted that the decision, imposed last month,  has been overruled.

NXP's Mifare smartcards are widely used as Oyster travelcards on London's transport system, as well as to control access to buildings including schools and government offices.

Professor Bart Jacobs, whose team based at Radboud University, Nijmegen, found weaknesses in the chip, plans to publish findings in October. He will explain how they managed to clone an Oyster card and ride the Tube free for a day after reverse engineering the algorithm. They also accessed Government buildings in Holland.

A court in Arnhem, citing local freedom of expression laws, overturned the injunction won by NXP. The ruling said: “Damage to NXP is not the result of the publication of the article, but of the production and sale of a chip that appears to have shortcomings.”

Radboud University responded: “… in a democratic society it is of great importance that the results of scientific research can be published.”

In the meantime, Transport for London assured customers that it was confident in its security, maintaining that a fraudulent card would be identified within 24 hours of it being used before being blocked. But SC Magazine learned last month that a London-based academic had cracked the Mifare cipher and could clone a card in just 12 seconds, raising concerns that if it is that easy, re-cloning daily might be worth the effort for cybercriminals.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike