Details of vulnerabilities in the chipset used in London's Oyster travel smartcard have been released by Dutch researchers, who have said the smartcard's security was "fundamentally broken".
The details were made public at the
Esorics security conference in Malaga on Monday. An academic paper
with details of the cryptographic vulnerabilities was also
published on the Radboud University Nijmegen website.
Bart Jacobs, the professor of computer security at Radboud
University who led the research team said the security of the Mifare Classic chipset, used in Oyster
cards and in the Dutch OV-Chipkaart travelcards, was completely
"The chip is fundamentally broken," said Jacobs. "The only
thing you can do is strengthen it with additional security measures
and improve overnight checks. People involved should migrate to
different chips, unless their assets are only of low value."
In their paper, the researchers claim to demonstrate that the
proprietary Crypto1 encryption algorithm used on Mifare Classic
smartcards allows the 48-bit cryptographic key to be "easily
retrieved". The paper gives mathematical details of the algorithm,
as well as information about the cryptographic architecture of the
According to the Radboud University website, the researchers
intercepted a "trace" of the communication between a smartcard
and a Mifare reader, computed the cryptographic key, and decrypted
it. Once the key was decrypted, the card could be copied and
cloned, as the researchers demonstrated on the London Underground
Jacobs said that the security of the cards had been
further undermined by the publication of the doctoral thesis of
Henryk Plotz, a German researcher who publicised Mifare
vulnerablities with fellow researcher Karsten Noehl in December
2007. Plotz's thesis, which was published on Monday, contains
attack code in an appendix that Jacobs said could be used to crack
Mifare Classic cards.
"This goes to a different level," said Jacobs. "We
deliberately tried to stay away from the hacker community. We do
not publish attack code."
In the wake of his team's publication of the hack details,
Jacobs said, the implication for Oyster card administrators at
Transport for London (TfL) was that public confidence in the
travelcards could be undermined, and that criminals could feasibly
clone a new card every day.
"The great danger for [TfL] is how easy it is to clone cards,"
said Jacobs. "If you can clone a new one every day, it becomes a
[paying] proposition. And suppose I clone your card. Transport for
London will see that and block the card number, but that will block
the clone and the original. That is where the risk is. At some
stage people will lose confidence in the card."
However, TfL said, while the Mifare Classic
chipset itself had been compromised, additional safeguards had been
put in place after consultation with an academic team from the
Royal Holloway information security group.
"The Mifare Classic chip is just one of a number of safeguards
in place around the Oyster card system, and Transport for London
continues to review security around the system," said a TfL
spokesperson. "As part of this we've been working with an
independent academic team to appraise any risks, and have put in
place a number of additional safeguards on the system."
The spokesperson said TfL had no plans to migrate to another
"It's not unusual for IT systems to come under attack," said
the spokesperson. "At this time we do not believe there's a need
to change the Mifare system. We do not expect this type of
ticketing fraud to become a widespread problem but we will continue
to closely monitor the situation."
The spokesperson said that a fraudster could hope to gain only a
maximum of £15 per day by continually cloning cards, adding that
such criminals would be taking a large risk. "Producing a
fraudulent card remains complex and risky, and manipulating the
card is of limited value," added the spokesperson. "It needs a
qualified computer specialist to set up, and risks detection by our
staff or police."
Semiconductor company NXP, which manufactures the Mifare Classic
chips, claimed that publication of the details had gone
against the principles of responsible disclosure.
"NXP Semiconductors regrets that the Radboud University
Nijmegen has revealed details of the protocol and the algorithm of
Mifare Classic, as well as some practical attacks on Mifare Classic
infrastructures," said an NXP spokesperson. "A broad publication
of detailed information to carry out attacks with limited means is,
at this moment in time, contradictory to the scientific goal of
prevention and the responsible disclosure of sensitive
However, Jacobs said the researchers had disclosed their
findings to NXP in March, and were only now publishing the details
to the wider public in October. Jacobs added that, because of the
fresh publication of those findings, organisations using Mifare
Classic could now make a solid analysis of security risks to their
NXP, which had sought an injunction from a Dutch court to halt
publication of the paper, said it had advised customers to urgently
review the security of their systems.
"NXP will continue working closely with its Mifare Classic
customers and partners and advises them to urgently take
appropriate security measures to protect their systems," said the