Printed from www.pcpro.co.uk
Oyster hacked by open-source tool
Posted on 29 Oct 2008 at 14:29
A new open-source tool called Crapto1 could allow hackers free travel on the London Underground, by decrypting communication data between RFID chips and readers.
The Oyster card system is based around the Mifare chip which uses an encryption algorithm called Crypto1. An attack against this algorithm was recently detailed in an academic paper from the University of Radboud in Holland, and it is this attack which Crapto1 implements.
"I'm not aware of any other public implementations at this time, I decided to write my own. This code implements the cryptography needed, to decrypt captured communications between crypto1 based tags and readers. And even recover the shared secret," says the project homepage on Google Code.
As well as powering the London Underground's ticket system, MIFARE is also used in a similar way on the Dutch public transport system, and in numerous office secure-entry systems.
The project, created by a programmer going by the pseudonym blapost, is currently hosted on Google Code, where it can be freely downloaded. The software allows the access code of a Mifare chip to be decoded within two seconds on a standard PC, opening the door for manipulation of data stored on the card, such as the remaining balance on an Oyster card.
This would allow hackers to gain free access to systems such as that used on the London Underground, as the researchers from Radboud University did earlier this year.
"There is no evidence of the widespread cloning of Oyster cards, the system has not been hacked and there is no risk to card holders' personal data as none is stored on the card," exmplains a Transport for London (TfL) spokesperson. "Recent problems with the Oyster system are completely unrelated to this and have nothing to do with hacking."
TfL has since terminated its contract with TranSys, the company that helped to develop the Oyster card system, although it denies that security is an issue, instead citing potential cost savings.
Author: Matthew Sparkes
advertisement
- Motorola pays Lucas for its Droid
- Where are the killer apps for Windows?
- Will you hit the Orange iPhone "unlimited" cap?
- USB 3 first benchmark - it's here, and it's fast
- Why Windows 7 has forced me to worry about security
- How Dixons is (under)selling Windows 7
- Do I like Windows 7 because it's so like a Mac?
- No Windows 7 drivers turn Dell M1330 into a doorstop
- Is Windows 7 good looking enough to sway an Apple fan?
- Typekit brings print-like typography to the web
- The bulletproof Dell that costs an arm and a leg
- Microsoft Office 2010 Technical Preview: Q&A
- Lawnmowers, the TyTN II and one odd insurance request
- There'll never be a bulletproof OS
- How far can we trust apps?
- Five nice touches in Outlook 2010
- Building a better Google
- Beware HP's horrendous printer-driver glitch
- Microsoft debuts free Morro antivirus package
- Getting started with Search Server 2008 Express
advertisement
