March 07, 2008

Questions raised about Oyster card security

Its RFID chip is cracked by researchers

By Network World and Computerworld UK staff

Smartcards with encrypted RFID chips, including London’s Oyster fare card, might not be as secure as previously thought.

New research at the University of Virginia is causing a major stir in Boston, because it raises question over the smart "CharlieCards" used by commuters on the city’s 'T' metro system.

However, London's Oyster card uses similar RFID technology – the Mifare Classic made by Philips spinoff NXP Semiconductors.

Work by University of Virginia graduate student Karsen Nohl and colleagues raises the spectre that thieves with just US$1,000 (£500) worth of equipment might be able to cracking smartcard encryption. They could then make fake cards to do everything from swipe fares to gain access to high-security areas.

More that a billion Mifare Classic chips have been sold around the world. Security experts have long known that such chips, which generally cost less than a dollar, were crackable, but didn't realise it could be so economically feasible.

Nohl and his team were able to listen to data broadcast by the chips using readily available RFID readers. They then dissected the layers of the chip via custom optical-recognition software to deduce the algorithm and encryption keys.

NXP has countered that only a portion of the cryptographic algorithm has been obtained by the researchers. However, the researchers have not disclosed their method fully, in an effort to keep those with bad intentions from copying them.

A video of the researchers' presentation called "Mifare: Little Security, Despite Obscurity," is available on Nohl's website.

There, Nohl humorously reassures that he and his colleagues have not found a way to crack credit-card security. "Please note that we have not compromised the security of credit cards, as some of the articles suggest,” he writes.

"From what we can see, RFID-enabled credit cards have no security (yet?), and hence there is nothing to compromise."

Transport for London told Computerworld UK that Oyster has additional security systems in place. A spokesperson said: "The security of the Oyster system has never been breached and Londoners can have total confidence in the security of their Oyster cards.

"We run daily tests for clone cards or rogue devices and none have been discovered. All Oyster information is fully encrypted and we have adopted extra security measures on top of that available on the source chips.”

Newsletters

Your daily injection of CW news and expert analysis: we’ll bring the news to you.