Oyster security "fundamentally broken"

Details of vulnerabilities in the chipset used in London's Oyster travel smartcard have been released by Dutch researchers, who have said the smartcard's security was "fundamentally broken".
Written by Tom Espiner, Contributor

Details of vulnerabilities in the chipset used in London's Oyster travel smartcard have been released by Dutch researchers, who have said the smartcard's security was "fundamentally broken".

The details were made public at the Esorics security conference in Malaga on Monday. An academic paper with details of the cryptographic vulnerabilities was also published on the Radboud University Nijmegen website.

Bart Jacobs, the professor of computer security at Radboud University who led the research team said the security of the Mifare Classic chipset, used in Oyster cards and in the Dutch OV-Chipkaart travelcards, was completely ineffectual.

"The chip is fundamentally broken," said Jacobs. "The only thing you can do is strengthen it with additional security measures and improve overnight checks. People involved should migrate to different chips, unless their assets are only of low value."

In their paper, the researchers claim to demonstrate that the proprietary Crypto1 encryption algorithm used on Mifare Classic smartcards allows the 48-bit cryptographic key to be "easily retrieved". The paper gives mathematical details of the algorithm, as well as information about the cryptographic architecture of the cards.

According to the Radboud University website, the researchers intercepted a "trace" of the communication between a smartcard and a Mifare reader, computed the cryptographic key, and decrypted it. Once the key was decrypted, the card could be copied and cloned, as the researchers demonstrated on the London Underground in April.

Jacobs said that the security of the cards had been further undermined by the publication of the doctoral thesis of Henryk Plotz, a German researcher who publicised Mifare vulnerablities with fellow researcher Karsten Noehl in December 2007. Plotz's thesis, which was published on Monday, contains attack code in an appendix that Jacobs said could be used to crack Mifare Classic cards.

"This goes to a different level," said Jacobs. "We deliberately tried to stay away from the hacker community. We do not publish attack code."

In the wake of his team's publication of the hack details, Jacobs said, the implication for Oyster card administrators at Transport for London (TfL) was that public confidence in the travelcards could be undermined, and that criminals could feasibly clone a new card every day.

"The great danger for [TfL] is how easy it is to clone cards," said Jacobs. "If you can clone a new one every day, it becomes a [paying] proposition. And suppose I clone your card. Transport for London will see that and block the card number, but that will block the clone and the original. That is where the risk is. At some stage people will lose confidence in the card."

However, TfL said, while the Mifare Classic chipset itself had been compromised, additional safeguards had been put in place after consultation with an academic team from the Royal Holloway information security group.

"The Mifare Classic chip is just one of a number of safeguards in place around the Oyster card system, and Transport for London continues to review security around the system," said a TfL spokesperson. "As part of this we've been working with an independent academic team to appraise any risks, and have put in place a number of additional safeguards on the system."

The spokesperson said TfL had no plans to migrate to another chipset.

"It's not unusual for IT systems to come under attack," said the spokesperson. "At this time we do not believe there's a need to change the Mifare system. We do not expect this type of ticketing fraud to become a widespread problem but we will continue to closely monitor the situation."

The spokesperson said that a fraudster could hope to gain only a maximum of £15 per day by continually cloning cards, adding that such criminals would be taking a large risk. "Producing a fraudulent card remains complex and risky, and manipulating the card is of limited value," added the spokesperson. "It needs a qualified computer specialist to set up, and risks detection by our staff or police."

Semiconductor company NXP, which manufactures the Mifare Classic chips, claimed that publication of the details had gone against the principles of responsible disclosure.

"NXP Semiconductors regrets that the Radboud University Nijmegen has revealed details of the protocol and the algorithm of Mifare Classic, as well as some practical attacks on Mifare Classic infrastructures," said an NXP spokesperson. "A broad publication of detailed information to carry out attacks with limited means is, at this moment in time, contradictory to the scientific goal of prevention and the responsible disclosure of sensitive information."

However, Jacobs said the researchers had disclosed their findings to NXP in March, and were only now publishing the details to the wider public in October. Jacobs added that, because of the fresh publication of those findings, organisations using Mifare Classic could now make a solid analysis of security risks to their systems.

NXP, which had sought an injunction from a Dutch court to halt publication of the paper, said it had advised customers to urgently review the security of their systems.

"NXP will continue working closely with its Mifare Classic customers and partners and advises them to urgently take appropriate security measures to protect their systems," said the spokesperson.

Editorial standards