Transport for London’s Oyster Card could be at risk after the release of code used in RFID-based access systems.
The code implements an attack on the CRYPTO1-algorithm used in the widely used Mifare Classic chip. It was released as part of a project dubbed Crapto1 and is totally based on the information in a paper by scientists from the Dutch Radboud University.
The project was started by a programmer that identifies himself as Bla. He claimed to be studying RFID and figured that implementing the algorithm looked like fun. "And the stats in the different publications were pretty amazing. I wanted to see it in action," he said in an interview with ComputerWorld UK’s sister paperm, Webwereld.
According to his account he never planned to publish the source code, but decided to do so when someone suggested it. His basic idea is to spread knowledge and not cause harm. "My code is meant for educational purposes. I'm not encouraging anybody to break any laws," he said.
The knowledge in itself isn't new and researchers have demonstrated how to enter buildings by cloning cards, without releasing any further details or software.
However, the code is the long-anticipated missing link between reading the Mifare Classic chips and actually using them to the full extent. Combined with readily available hardware, users have all the tools to execute a successful attack. There are RFID readers available online for less than $150, such as the Proxmark III or the OpenPCD, for which the accompanying software is available as open source.