24 January 2008
Oyster Security Vulnerability?
Rob Fisher

A Samizdata commenter linked to a story about a security vulnerability in Mifare Classic RFID cards.  According to the wikipedia article for Mifare, which cites an article on what looks like an independent website called Mifare.net, these are Oyster cards, but there are variants of Mifare card so Oyster cards could be different.

The press release from the University of Virginia has the important details about the vulnerability, and an article by the CEO of a smart card consultancy company goes into even more detail.  What it boils down to is that only a 48 bit key is used to encrypt tha data stored on the card, so with the right equipment and know-how it is possible to quickly try all the keys and find the one that unlocks a given card.  Then it will be possible to read and write the data.  How useful this is depends on what is stored on the card.

If the prepay balance is stored, it would be simple to modify the balance.  But there may be other safeguards in place.  Certainly it should be possible for TfL to spot discrepancies between journeys made and balance deposited to a card.  But would-be hackers might be more sophisticated, so if Oyster cards do rely on Mifare Classic encryption the situation has changed from mathematical certainty that Oyster is secure to a battle of wits between TfL and computer hackers.

On the other hand, the effort required may outweigh the benefits of fare dodging.  Things could be much worse if Oyster cards had evolved into general purpose micropayment cards.  That idea was dropped last year.

Post a Comment

Commenting is not available in this weblog entry.