Oyster hacked by open-source tool
By Matthew Sparkes
Posted on 29 Oct 2008 at 14:29
A new open-source tool called Crapto1 could allow hackers free travel on the London Underground, by decrypting communication data between RFID chips and readers.
The Oyster card system is based around the Mifare chip which uses an encryption algorithm called Crypto1. An attack against this algorithm was recently detailed in an academic paper from the University of Radboud in Holland, and it is this attack which Crapto1 implements.
"I'm not aware of any other public implementations at this time, I decided to write my own. This code implements the cryptography needed, to decrypt captured communications between crypto1 based tags and readers. And even recover the shared secret," says the project homepage on Google Code.
As well as powering the London Underground's ticket system, MIFARE is also used in a similar way on the Dutch public transport system, and in numerous office secure-entry systems.
The project, created by a programmer going by the pseudonym blapost, is currently hosted on Google Code, where it can be freely downloaded. The software allows the access code of a Mifare chip to be decoded within two seconds on a standard PC, opening the door for manipulation of data stored on the card, such as the remaining balance on an Oyster card.
This would allow hackers to gain free access to systems such as that used on the London Underground, as the researchers from Radboud University did earlier this year.
"There is no evidence of the widespread cloning of Oyster cards, the system has not been hacked and there is no risk to card holders' personal data as none is stored on the card," exmplains a Transport for London (TfL) spokesperson. "Recent problems with the Oyster system are completely unrelated to this and have nothing to do with hacking."
TfL has since terminated its contract with TranSys, the company that helped to develop the Oyster card system, although it denies that security is an issue, instead citing potential cost savings.
From around the web
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Is Microsoft mismanaging Windows on ARM?
- Dealing with spam surrogates
- Why 3G broadband can be better and cheaper than ADSL
- Is Twitter bad for business?
- Publishing your email address isn't a security disaster
- Why you'll need a fax machine to develop iOS apps
- Learning to adapt to the mobile web
- Why you shouldn't use WPS on your Wi-Fi network
- Disabled users suffer when software breaks the rules
advertisement
