Cloned Oyster Cards To Follow After Hack Security Details Are Published

An injunction by NXP Semiconductors failed to prevent the publication on Monday of a report by Professor Bart Jacobs of the Radboud University in Holland about a security vulnerability of the widely used Mifare Classic RFID chip, which is at the core of London Underground's Oyster Card.

The root of the problem could be found in the proprietary encryption used by Mifare - which is present in 2 billion RFID cards worldwide - that was found to be particularly easy to guess using an RFID reader and a desktop computer.

The complete document, which Professor Jacobs said was not a guidebook for attacks, was released at the European Symposium on Research in Computer Security (Esorics) 2008 security conference held in Spain after a delay of seven months.

In a statement, NXP Semiconductors said that "it regrets that the Radboud University Nijmegen has revealed just yet details of the protocol and the algorithm of MIFARE Classic as well as some practical attacks on MIFARE Classic infrastructures to a broad public".

The legal injunction sought by NXP Semiconductors allowed its customers to modify their systems accordingly and a spokesperson for Transport for London told the BBC that the organisation has introduced a number of measures to make sure that using cloned Oyster Cards is next to impossible.

Still, the fact that the flaw has been made public could mean that criminals now know where to look and with the cost of transport soaring (Travelcards can cost more than £170 per month), fake tickets and oyster cards could unfortunately become more common.