I have written before about security weaknesses in pin-and-tumbler mechanical locks. I suggested that electronic token based systems have a greater capacity to be secure, since they do not rely upon mechanical parts that can be manipulated.
Of course, poorly designed electronic systems can also be breached easily. That was demonstrated in September, in relation to the KeeLoq system used for keyless entry in many cars. Now, another brand (Mifare) of RFID tags have been reverse engineered and found wanting. As is usually the case on matters of physical security, I saw this story first on blackbag.
Apparently, these are the kind of RFID tags used by the Oyster cards on the London Underground.
Expect people to start selling cloned or otherwise fradulent cards pretty soon…
Oyster card
The Oyster card is a contactless smartcard, with a claimed proximity range of about 8 cm (3 inches). The scheme is operated by TranSys, and is based on Philips’ MIFARE Standard 1k chips provided by G&D and SchlumbergerSema.
So does that mean I will be able to ride the tube for free soon? Wow if this is the case tons of hackers are now working on cracking the mifare algorithim!! I mean it is done is china and taiwan right? so why not in london!! guess it is time for the migration back to cash :))
letsee,
A lot depends on how the Oyster system is designed. It may be that the MIFARE cards are flawed but the system remains secure, or mostly secure.
No doubt, people are already investigating it.
Dutch RFID Transit Card Hacked
By schneier
The Dutch RFID public transit card, which has already cost the government $2B — no, that’s not a typo — has been hacked even before it has been deployed.
Mifare now fully broken
This concerns all (access control)cards containing the so called ‘mifare classic-chip.’
We guess around two million access control cards are in use in the Netherlands, worldwide we assume two billion.
London Tube Smartcard Cracked
Looks like lousy cryptography.
Details here. When will people learn not to invent their own crypto?
Note that this is the same card — maybe a different version — that was used in the Dutch transit system, and was hacked back in January. There’s another hack of that system (press release here, and a video demo), and many companies — and government agencies — are scrambling in the wake of all these revelations.
Oyster card hack to be published
In Technology
A Dutch judge rules that details of how to copy Oyster cards can be published.
Hacked Oyster Card System Crashes Again
By kdawson on no-pearls-in-sight
Barence sends along PcPro coverage of the second crash of London’s Oyster card billing system in two weeks. Transport for London was forced to open the gates and allow free travel for all. “There is currently a technical problem with Oyster readers at London Underground stations which is affecting Oyster pay as you go cards only,” explains the TfL website. This follows the first crash two weeks ago, which left 65,000 Oyster cards permanently corrupted. Speculation is increasing that the crashes may be related to the hacking of the Oyster card system by Dutch researchers from Radboud University, though TfL denies any link. Plans to publish details of the hack were briefly halted when the makers of the chip used in the system sued the group, although a judge ruled earlier this week that the researchers could go ahead. During the court action, details briefly leaked on website Wikileaks.
Credit-card companies killed Mythbusters segment on RFID vulnerabilities
By Cory Doctorow on Gadgets
Check out the first two minutes of this clip of Mythbusters’ Adam Savage telling the folks at the HOPE hackercon about how the Discovery Channel was bullied by big credit-card companies out of airing a program about how crappy the security in RFID tags is. Arphid Watch: Mythbusters and RFID
The long-running security battle has seesawed against RFID cards, as German researchers revealed a way to clone one type of card currently used for a variety of purposes, from transit fares to opening doors in NASA facilities.” According to the article, “NXP Semiconductors, which owns Mifare, put out an alert to customers warning that the security had been cracked on its MIFARE DESFire (MF3ICD40) smartcard but saying that model would be discontinued by the end of the year and encouraging customers to upgrade to the EV1 version of the card.” This response may sound familiar.