Concerns in London after Mifare hack
Mifare technology is used for 17 million Oyster cards for travel in London. Around 80% of all Underground and bus payments in London are now by Oyster card.
The only equipment needed was a laptop and an RFID reader; Bart Jacobs, professor of computer security at the university and one of the team who did the work, said it takes "a few seconds" to crack any Oyster card's encryption. "We need to eavesdrop on the communication between a card and a card reader. From that communication we can deduce secret cryptographic keys that are used to protect the contents of the card. Once we have the keys we 'own' the card and can manipulate it as we like." Dr Bart Jacobs' team then traveled to London, where they used the same technique to ride free on the Underground for a day. Alongside cloning the Oyster card, the academics also used their trip to London to prove that they could carry out a denial of service attack by jamming shut Oyster-operated ticket gates. They plan to publish their research in October.
The attack scenario is described in SC Magazine:
- Attackers scan the card reading unit, collecting the cryptographic key;
- The hacker passes in close proximity to an Oyster user, sniffing the information on their card;
- Details of the key and the sniffed card are transferred to the hacker's PC, which uses specially designed software to reproduce the information onto blank cards;
- The hacker is now free to travel on the cloned card.
Adam Laurie, a freelance security consultant, said: "The cryptography is simply not fit for purpose. It's very vulnerable and we can expect the bad guys to hack into it soon if they haven't already."
Transport for London (TfL) issued the following statement: "Londoners can have total confidence in the security of their Oyster cards. We run daily tests for cloned or fraudulent cards and any found would be stopped within 24 hours of being discovered. Therefore the most anyone could gain from a rogue card is one day's travel. Security is the key aspect of the Oyster system and Londoners can have confidence in the security of their Oyster cards. Using a fraudulent card for free travel is subject to prosecution."
TranSys, the consortium responsible for delivering Oyster on behalf of TfL also issued a statement: "Oyster has been designed with security at the forefront of its functionality. It has robust security, which operates at different points within the system. This ensures that should one security measure be breached, another will protect Oyster cards and the system as a whole. No personal information is stored on an Oyster card and specific information relating to the individual card holder (name, address, telephone etc) is stored on a central database and kept separate from journey data."
After learning of the breach in April, the Dutch government, which was using Mifare for physical access control, posted armed guards around outside all of its buildings and it now plans to spend millions of euros upgrading its systems. A spokesperson for the Dutch Interior Ministry said: "We take this threat extremely seriously. It's a national security issue".