Oyster card hack will be revealed
Dutch researchers, who had been prevented from revealing their findings through the imposition of an injunction by manufacturer NXP, are delighted that the decision, imposed last month, has been overruled.
NXP's Mifare smartcards are widely used as Oyster travelcards on London's transport system, as well as to control access to buildings including schools and government offices.
Professor Bart Jacobs, whose team based at Radboud University, Nijmegen, found weaknesses in the chip, plans to publish findings in October. He will explain how they managed to clone an Oyster card and ride the Tube free for a day after reverse engineering the algorithm. They also accessed Government buildings in Holland.
A court in Arnhem, citing local freedom of expression laws, overturned the injunction won by NXP. The ruling said: “Damage to NXP is not the result of the publication of the article, but of the production and sale of a chip that appears to have shortcomings.”
Radboud University responded: “… in a democratic society it is of great importance that the results of scientific research can be published.”
In the meantime, Transport for London assured customers that it was confident in its security, maintaining that a fraudulent card would be identified within 24 hours of it being used before being blocked. But SC Magazine learned last month that a London-based academic had cracked the Mifare cipher and could clone a card in just 12 seconds, raising concerns that if it is that easy, re-cloning daily might be worth the effort for cybercriminals.