Dutch academics hack Oyster card

News by Richard Thurston

Security lecturers from a leading Netherlands university travelled to London last week to crack the Oyster smart card, clone it and get a free day's travel, while they pursue an open source alternative

Dutch academics have compromised the security of London's Oyster card, cloning it and travelling for free on the city's transport system.

The academics, from Radboud University in Nijmegen, have just won funding to develop an open source alternative to Oyster.

Bart Jacobs and Wouter Teepe, head of the digital security group at the university, are to receive 150,000 euros from NLNet, a Dutch foundation which funds open source projects focused on online information exchange.

Oyster cards are based on the Mifare chip, which is manufactured by Philips spin-off NXP Semiconductors. Mifare was released 12 years ago before processors of that size could handle strong encryption. Around ten million Mifare smartcards are sold in Britain each year. Apart from their use in travelcards, the smartcards are used to control access to buildings, including those used by the Cabinet Office.

NXP said it took the threat to smartcards very seriously. "We are aware that the Dutch researchers have reverse engineered the algorithm and we are taking this issue very seriously. We've informed all of our system integrators and advised them to closely assess their systems. We're talking to the guys at Radboud University and have identified various counter measures," a spokesperson for the chipmaker told The Times.

NLNet said it expects the open source smartcard, which the Radboud academics will develop over the next two years - to be more secure and offer a better safeguard for customers' personal information.

"By putting the development in an open context and embed privacy in the design phase - and not as an afterthought - we hope to lay the foundations for a next-generation smart card ... that works and really is worth the full confidence of consumers, said Michiel Leeners, strategy director for NLNet.

Transport for London (TfL) tried to instil confidence in the Oyster system following the compromise, which took place last week. A spokesperson said: "Security is the key aspect of the Oyster system and Londoners can have confidence in the security of their Oyster card and personal data."

TfL said it ran daily tests for cloned and fraudulent cards, so any found would only work for a maximum of 24 hours, it argued. It stressed that cloning was illegal, and that it would consider prosecuting individuals who copied Oyster cards.

Alongside cloning the Oyster card, the academics also used their trip to London to prove that they could carry out a denial of service attack by jamming shut Oyster -operated ticket gates. They plan to publish their research in October.

A London-based academic last week claimed he had broken the Mifare cipher, which prevents Oyster cards from being cloned.

Nicolas Courtois, senior lecturer and cryptologist at University College London, told SC Magazine the attack was "shockingly fast" and that he could carry it out in 12 seconds.

The Oyster hack in a nutshell

1 - Attackers scan the card reading unit, collecting the cryptographic key;
2 - The hacker passes in close proximity to an Oyster user, sniffing the information on their card;
3- Details of the key and the sniffed card are transferred to the hacker's PC, which uses specially designed software to reproduce the information onto blank cards;
4- The hacker is now free to travel on the cloned card.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews