Oyster hacked by open-source tool
By Matthew Sparkes
Posted on 29 Oct 2008 at 14:29
A new open-source tool called Crapto1 could allow hackers free travel on the London Underground, by decrypting communication data between RFID chips and readers.
The Oyster card system is based around the Mifare chip which uses an encryption algorithm called Crypto1. An attack against this algorithm was recently detailed in an academic paper from the University of Radboud in Holland, and it is this attack which Crapto1 implements.
"I'm not aware of any other public implementations at this time, I decided to write my own. This code implements the cryptography needed, to decrypt captured communications between crypto1 based tags and readers. And even recover the shared secret," says the project homepage on Google Code.
As well as powering the London Underground's ticket system, MIFARE is also used in a similar way on the Dutch public transport system, and in numerous office secure-entry systems.
The project, created by a programmer going by the pseudonym blapost, is currently hosted on Google Code, where it can be freely downloaded. The software allows the access code of a Mifare chip to be decoded within two seconds on a standard PC, opening the door for manipulation of data stored on the card, such as the remaining balance on an Oyster card.
This would allow hackers to gain free access to systems such as that used on the London Underground, as the researchers from Radboud University did earlier this year.
"There is no evidence of the widespread cloning of Oyster cards, the system has not been hacked and there is no risk to card holders' personal data as none is stored on the card," exmplains a Transport for London (TfL) spokesperson. "Recent problems with the Oyster system are completely unrelated to this and have nothing to do with hacking."
TfL has since terminated its contract with TranSys, the company that helped to develop the Oyster card system, although it denies that security is an issue, instead citing potential cost savings.
From around the web
advertisement
- Chrome's shine getting lost in translation
- BytePac: the cardboard hard disk enclosure
- How tech loosens our grip on reality
- Hokum watch: Safer Internet Day
- Why I'm deleting Adobe from my PC
- Prepare to be patronised: it's Safer Internet Day
- Dear Sony, Samsung and every other tech company in the world: stop trying to be Apple
- Will Apple's Final Cut Pro X update placate the pros?
- Smartr Contacts for iPhone review
- Switching to Office 365's Outlook Web App
- Why virtualisation hasn't slowed the growth of data
- How to make Google AdWords work for your business
- The curse of sloppily written software
- Paying for your crimes with Bitcoin
- Behind the scenes: tech support for Formula 1
- The security risk of fat fingers
- Why Windows Phone 7 isn't quite ready for business
- When will Microsoft stop fiddling with Windows 8?
- Flash down the pan?
- Metro Style apps vs desktop applications
advertisement
Printed from www.pcpro.co.uk