Skip to main content

Cloned Oyster Cards To Follow After Hack Security Details Are Published

An injunction by NXP Semiconductors failed to prevent the publication on Monday of a report by Professor Bart Jacobs of the Radboud University in Holland about a security vulnerability of the widely used Mifare Classic RFID chip, which is at the core of London Underground's Oyster Card.

The root of the problem could be found in the proprietary encryption used by Mifare - which is present in 2 billion RFID cards worldwide - that was found to be particularly easy to guess using an RFID reader and a desktop computer.

The complete document, which Professor Jacobs said was not a guidebook for attacks, was released at the European Symposium on Research in Computer Security (Esorics) 2008 security conference held in Spain after a delay of seven months.

In a statement, NXP Semiconductors said that "it regrets that the Radboud University Nijmegen has revealed just yet details of the protocol and the algorithm of MIFARE Classic as well as some practical attacks on MIFARE Classic infrastructures to a broad public".

The legal injunction sought by NXP Semiconductors allowed its customers to modify their systems accordingly and a spokesperson for Transport for London told the BBC that the organisation has introduced a number of measures to make sure that using cloned Oyster Cards is next to impossible.

Still, the fact that the flaw has been made public could mean that criminals now know where to look and with the cost of transport soaring (Travelcards can cost more than £170 per month), fake tickets and oyster cards could unfortunately become more common.

Désiré Athow
Contributor

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at ITProPortal.com where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.