Oyster card hack can be published

Not that we need much in the way of Oyster card hacks when the London Underground seem to be doing a good enough job of letting us have free Tube travel themselves. However, it looks like a Dutch hack can be shared - not for illegalities (no way) but the Dutch reckon hacking should be shared to get the powers that be to tighten up the system. A court in the Netherlands also agrees.


In March 2008 security weaknesses in the Oyster card were discovered by Professor Bart Jacobs and others from Radboud University, Nijmegen.

The BBC give a good summary: "The weaknesses centre on the chip, called the Mifare Classic, that sits at the heart of the contactless card system. As well as being used on 17 million Oyster cards, the Mifare chip is used by about 1bn smartcards worldwide, and is the basis of the Dutch Rijkspas card.

Many organisations, including governments, use Mifare technology as a secure entry system for buildings. Given the many millions of cards in use Prof Jacobs held off publishing details about how the information on the chips can be copied and used. It told the Dutch government and NXP about its work to give them time to harden systems against the attack.

Despite this, NXP sought an injunction to ensure the details of the attack would never be aired. The case went to court in Holland and now the court in Arnhem has overturned the injunction citing local freedom of expression laws." Thanks to Dav for first alerting me to this.

So that's all well and good, but what do Transport for London feel about the freedom to share how to hack the Oyster card? A spokesperson said:

"Transport for London remains confident in the security of the Oyster card system. We take fraud and the security of personal data extremely seriously and constantly review our security procedures."

"Any fraudulent card would be identified within 24 hours of being used and blocked. Using a fraudulent card for free travel is subject to prosecution and we would seek to enforce this wherever possible."

We'll see what happens in October when the research will be published by Professor Bart Jacobs (love that he's called Bart - it's just what you'd imagine Bart Simpson would do if he grew up to be an academic) & his mates.


I still prefer the much more playful Oyster card meltdown involving a jar of beetroot, some nail varnish remover & a few hours to create your own Oyster magic wand.

London Underground; Tube Posted by annie mole Tuesday, July 29, 2008 Permalink COMMENT HERE
Tweet http://london-underground.blogspot.com/2008/07/oyster-card-hack-can-be-published.html