Group Demonstrates Security Hole in Oyster Card

Drawing on his training in computer hardware design, Nohl painstakingly looked at the shapes that made up the details of the circuit and deduced the algorithm (a mathematical formula involving many steps) created by the long series of hundreds of "logic gates."

Knowing the algorithm defined the relatively narrow range of possible keys that would unlock the encryption, allowing Nohl to find the right key in a matter of hours by trying all the possible keys until he found the right one. Having done that once or twice, he could pre-compute the possible keys and break the encryption on other examples of the MiFare chip in a matter of minutes.

Nohl and colleague Henryk Plötz presented their research in December at the Chaos Communication Congress in Berlin, a major annual meeting of the international hacker scene. Their presentation demonstrated that "with very little resources and starting from scratch, this can be done," Nohl noted.

(NXP Semiconductors declined requests to comment.)

The Nohl team's revelations come at an interesting time. The Netherlands are currently in the midst of rolling out a new $3 billion national transit fare system that relies on the MiFare Classic chip to store fares to ride the subways and buses.

In the wake of the Nohl group's research, the Dutch media reported extensively on the vulnerability of the system's smart card, that stores fares and can even be linked, on request, to a customer's bank account in order to automatically reload the fare balance when it drops under a certain threshold.