Oyster card ‘free travel’ hack to be released

Research behind a hack of the Oyster card will be released which has serious implications for cards using the same MIFARE chip around the world

Details of an Oyster Card hack, which enabled a group of scientists to ride free on the London Underground can be released to the public, a judge has ruled.

The verdict overturns an injunction made by Oyster makers NXP to keeping the weaknesses behind the MIFARE Classic' chip quiet. The researchers are reportedly planning to publish the results in October.

The hack involved researchers from Radboud University using a laptop and RFID reader to crack the algorithm used by the Oyster cards, enabling users to put credit back on it and therefore get free access.

PC Pro had previously reported that the vulnerability in question would not work for long because the data was stored on the Oyster card and a central database. Transport for London claimed that tests were done to look for clones and stopped within 24 hours.

However as these tests were done only periodically, a hacker would still be able to receive 24 hours free travel with a compromised card.

The hack could compromise more than just the Oyster card, as the MIFARE smartcard is used to access thousands of British schools and other keyless systems around the world.

NXP said that the decision meant that affected parties such as system integrators and operators using MIFARE chips would likely want to review their systems, but that October was not long enough to deal with the problem properly.

It said in a statement: "Different installations have different security requirements, however it is not conceivable that they all will have their security upgraded to the necessary level in a period of months until this paper is published; these upgrades will take up to a number of years."

However, security expert Bruce Schneier told the BBC that the damage caused by publishing was much less than not disclosing, and said it was a dangerous assumption that criminals were not already aware of the hack.

He said: "Assume organised crime knows about this, assume they will be selling it anyway."

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

Up in the air: Travel in the age of COVID-19
Business

Up in the air: Travel in the age of COVID-19

26 Nov 2020
Sopra Steria cyber attack costs to hit €50 million
Security

Sopra Steria cyber attack costs to hit €50 million

26 Nov 2020
Sophos warns customers of potential data leak
Security

Sophos warns customers of potential data leak

26 Nov 2020
Weekly threat roundup: VMware, GitHub, Facebook, and MobileIron
Security

Weekly threat roundup: VMware, GitHub, Facebook, and MobileIron

26 Nov 2020

Most Popular

80% of cyber professionals say the Computer Misuse Act is working against them
Security

80% of cyber professionals say the Computer Misuse Act is working against them

20 Nov 2020
Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
Weekly threat roundup: Cisco, BlueKeep, Apache Unomi
Security

Weekly threat roundup: Cisco, BlueKeep, Apache Unomi

19 Nov 2020