Fears for Oyster security as researchers claim crack

Dutch researchers claim to have cracked the Oyster card and performed a denial-of-service against a Tube entry gate

Questions have been raised about the security of chips in Oyster cards after Dutch researchers claimed to have successfully cracked and cloned cards, and travelled on London Underground for free.

According to Dutch publication Webwereld, researchers from Radboud University cracked the Mifare RFID chip, from NXP, used in the Oyster card, travelled on the Tube and then restored the balance on the card. The researchers also claimed to have launched a successful denial-of-service attack against Tube entry gates, causing them to jam closed.

Radboud researcher Wouter Teepe presented evidence to the Dutch parliament on Wednesday, in which he outlined the research. Teepe declined to comment to ZDNet.co.uk on Wednesday, directing us to a Radboud University spokesperson. The spokesperson also declined to comment, saying only that Transport for London (TfL) had been informed and that the university was preparing a scientific paper on the subject, due in October.

TfL said it runs daily tests for cloned cards and that anyone caught using such a card could be prosecuted.

"We run daily tests for cloned or fraudulent cards and any found would be stopped within 24 hours of being discovered," wrote a TfL spokesperson in an email to ZDNet.co.uk. "Therefore, the most anyone could gain from a rogue card is one day's travel. Security is the key aspect of the Oyster system and Londoners can have confidence in the security of their Oyster cards. Using a fraudulent card for free travel is subject to prosecution."

TfL insisted that Oyster cards have "robust security" that operates "at different points in the system", and claimed that personal information could not be compromised through a Mifare card hack.

"Should one security measure be breached, another will protect Oyster cards and the system as a whole," wrote the spokesperson. "No personal information is stored on an Oyster card and specific information relating to the individual card holder (name, address, telephone, etc) is stored on a central database and kept separate from journey data."

Security experts called for TfL to upgrade the Mifare chips in April, after a series of Mifare cracks were publicised. "My understanding is there are now three [Mifare] cracks at least," Adam Laurie, an RFID and communications protocol security researcher and consultant, said in a keynote speech on RFID flaws at the Infosec 2008 conference. Speaking to ZDNet.co.uk after his speech, Laurie said he thought TfL, the body that runs the Oyster-card scheme, "ought to think about upgrading as soon as possible".

Laurie said the Dutch government had been right to announce it was replacing the Mifare-based cards. "I applaud the Dutch government for jumping straight on it," he said. "It would be better if TfL just got on with it. It's a bit of an arms race; once you know it can be done, that's enough of an impetus to say: 'We will get on and do it.'"

TfL said on Monday that it was not considering reviewing its use of Mifare technology in Oyster cards.