Oyster card ‘free travel’ hack to be released
By Asavin Wattanajantra,
Details of an Oyster Card hack, which enabled a group of scientists to ride free on the London Underground can be released to the public, a judge has ruled.
The verdict overturns an injunction made by Oyster makers NXP to keeping the weaknesses behind the ‘MIFARE Classic’ chip quiet. The researchers are reportedly planning to publish the results in October.
The hack involved researchers from Radboud University using a laptop and RFID reader to crack the algorithm used by the Oyster cards, enabling users to put credit back on it and therefore get free access.
PC Pro had previously reported that the vulnerability in question would not work for long because the data was stored on the Oyster card and a central database. Transport for London claimed that tests were done to look for clones and stopped within 24 hours.
However as these tests were done only periodically, a hacker would still be able to receive 24 hours free travel with a compromised card.
The hack could compromise more than just the Oyster card, as the MIFARE smartcard is used to access thousands of British schools and other keyless systems around the world.
NXP said that the decision meant that affected parties such as system integrators and operators using MIFARE chips would likely want to review their systems, but that October was not long enough to deal with the problem properly.
It said in a statement: “Different installations have different security requirements, however it is not conceivable that they all will have their security upgraded to the necessary level in a period of months until this paper is published; these upgrades will take up to a number of years.”
However, security expert Bruce Schneier told the BBC that the damage caused by publishing was much less than not disclosing, and said it was a dangerous assumption that criminals were not already aware of the hack.
He said: “Assume organised crime knows about this, assume they will be selling it anyway.”
advertisement
Latest Security Features
Chinese web control an Olympic challenge for tech firms
Chinese web censorship has been a hot topic ahead of the Beijing Olympics, but it’s not just journalists being hit – IT firms and other businesses are also being hit by online restrictions.
- SOS Bletchley Park
- Where will IT be in 2015?
- Q&A: John Stewart, Cisco's chief security officer
- NHS IT - something to celebrate?
- Q&A: Tom Ilube, head of Garlik
- Ten of the most infamous ‘black hat’ hackers
- USB Flash Disks: A modern day business curse?
- Creating a mobile data management policy
- Behind the scenes: Symantec's malware battle
Latest Security Reviews
AVG Internet Security SBS Edition 8.0
Rating: 
- Finjan Vital Security Web Appliance NG-6000S
- LogLogic MX2010
- Exclusive: WatchGuard Firebox Core X750e
- Sophos ES4000 Security Appliance
- Microsoft Forefront Security for Exchange and SharePoint
- EXCLUSIVE: Juniper Networks SSG 550 UTM appliance
- EXCLUSIVE: Arbor Networks Peakflow X 3.7
- EXCLUSIVE: Check Point UTM-1 1050
- EXCLUSIVE: Finjan Vital Security NG-5100
advertisement
Latest News Videos in Security
Video: Q&A with Richard Archdeacon, Symantec
PlayIT PRO speaks to Richard Archdeacon, director, global services, at the information security software vendor Symantec.
White papers
Want more background on today's hottest IT trends?
Visit IT PRO's white paper library for more on virtualisation, encryption and other topics.
Register for IT PRO
You'll get exclusive member benefits including free white papers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
Social Bookmark this article: What is this?