Report: Oyster card crypto leak

Ted
I know data wants to be free, but trains don’t.

The answer is above your post. Security via litigation is only the illusion of security. In the case of electronic voting machines they are not secure but the companies sue to prevent their vulnerabilities being known. This has the effect that it allows an unknown person or persons to commit election fraud. Given past statements from Diebold that may be what was wanted in the first place.

As far as trains go I suppose having an insecure payment system might not be horrible. Only a few would be able to hack into it. The problem is that the system might be expanded to other uses. Which would also be insecure.

These electronic cards are like paper money in that they represent value but have no intrinsic value of their own. Governments don’t permit paper money to be “hacked” or counterfeited. Why permit a level of counterfeit cards that would be unacceptable in paper money?

I saw these guys present at CanSecWest (awesome hardware rev-engineering, the place erupted into applause when they finished) – but just to correct a bit if I can, they never once ripped on the engineers or the strength or quality of the crypto even though they discovered a weakness. They became interested in the hardware simply because of its age. It’s some old stuff, and they even said that the engineers who designed it way back when did a fine job, as back then detailed crypto knowledge was the sole domain of 3 lettered govt agencies. The only fault is that the parent company continued to sell it for years without evaluating whether or not its protections were still any good. These guys did it for them, bonus :)

NXP got wind of the publication, because a draft copy was sent to them by Radboud University as a courtesy.

The PDF in the various links in the other comments is most likely not the paper that is being disputed by NXP, as that PDF has been available for months (since March) at arxiv.org (it is an interesting read, though).

Security via litigation can have two outcomes; litigation after disclosure which is about as effective as a “morning after” pill for men, and litigation before disclosure which is prior restraint, and is generally repugnant and repressive.

I’m wondering how NXP got wind of the publication in the first place?

I’m sort of agreeing with Ted on this one. But, on the other hand, if we muzzle academic freedom because some idiots couldn’t implement strong crypto, aren’t we undermining an even more important public good?

Very strange that the “server has crashed” and that 6,500 people need new cards!!!

http://www.guardian.co.uk/uk/2008/jul/14/london.transport?gusrc=rss&feed=uknews

Could this be related??

if the public truly believes the government has all seeing, perfect surveillance, it makes it easy for the government to claim a target has transgressed and the clear proof exists without having to present it or even make a credible argument as to how this proof was got. The object of a surveillance society with no privacy is to create a population that does not even ask for evidence anymore.

Free money! er, credit chits.

Seriously, why haven’t people learned the lesson of implementing digital bearer settlement (e.g. DigiCash) by now? Strong cryptography FTW.

d’oh thanks adding

There appears to be nothing on the wikileaks site… all i see is:

Censored Milfaire Classic Oyster Card break paper 2008

There is currently no text in this page, you can search for this page title in other pages or edit this page.

Hrm…

The page from Wikileaks has been removed – which is a little odd. You can see the Google cache:

http://209.85.141.104/search?q=cache:sIvjxH8Z0wIJ:wikileaks.org/wiki/Censored_Milfaire_Classic_Oyster_Card_break_paper_2008+Censored+Milfaire+Classic+Oyster+Card+break+paper+2008&hl=en&ct=clnk&cd=1&gl=us&client=firefox-a

Also, cryptome.org has the paper:

http://cryptome.org/mifare-classic.pdf

It still works for me, but maybe I’m viewing the cached version.

Censored Milfaire Classic Oyster Card break paper 2008

File
* milfaire-classic-2008.pdf (click to view full file)
* milfaire-classic-2008.pdf (alternative address)

Analysis
Carefully assess this document and post your findings.

Summary
Chip company NXP Semiconductors is to sue Radboud University in an attempt to halt the publication of a paper detailing the cryptographic cracking of the Oyster smartcard, used widely on the London transport network.
The case is to be heard on Thursday in a court in Arnheim, NXP told ZDNet.co.uk on Tuesday. However, an NXP spokesperson declined to give any reasons at present for the company seeking to halt the publication.
Researchers from the Radboud University in Nijmegen last month claimed to have cracked the security on the Oyster card, which uses an NXP chipset called Mifare Classic. The research had led on from a cryptographic crack of Mifare Classic by German researchers Karsten Nohl and Henryk Plötz.
A spokesperson for Radboud University told ZDNet.co.uk that NXP wanted to stop publication of the paper due to “safety reasons”. However, the spokesperson said that the university intended to proceed with the publication of the research at the Esorics conference in Malaga in October. The court is expected to reach a decision next week. [1]
This is the paper concerned, which can also be found at http://cryptome.org

Context
Netherlands
University or research institution
Rabound University

Wikileaks release date
Friday July 11, 2008

Primary language
English

File size in bytes
476671

File type information
PDF document, version 1.4

Cryptographic identity
SHA256 5f72046e9377aef8bbdc90e4fc519e84c0b74fedf9316102bf21918680f105fe

Security via litigation… no that doesn’t seem like an effective tactic.

Worked for Premier Election Solutions (i.e. Diebold) …right?

Summary of this comment: This hack isn’t very interesting, and for the one thing that could go wrong, practical advice on how to immunize yourself against it.

As far as I understand it, this is how the Oyster system works:

Your card has a 10-digit code in it. This 10-digit code is your ‘username and password’ for your account on the central Oyster server. Travelling deducts credits from your account. Charging your oyster charges that account. The account balance is *NOT* on the Oyster card itself. The oyster card could have been a barcode for all that. Of course, if you can copy someone else’s 10 digits, then you can use up their credit. I actually checked this out with an Arduino card reader. You can get the 10 digits out, no problem.

Unfortunately you can’t just use any 10-digit mifare classic (like the Dutch OV card, also a 10-digit mifare classic – I actually checked this when I was in London), because when you buy an Oyster, the cashier swipes it and hits a special ‘activate’ button which makes a call to the central Oyster database that the charge machines won’t do. If you can convince the cashier to swipe your dutch OV card, or any other mifare classic, you can then use that as an oyster card. I actually like the idea of having one card that works across many different city/country transport nets, each country/city having its own balance.

Anyway, the only risk, then, is someone reading your 10-digit, copying it onto a blank card, and travelling on your dime. You CANT create a magic free travel pass. Protecting yourself is trivially easy: Just layer 2 mifare classics one on top of the other. I checked this – you cannot read either when you do this. For example, when I’m in London, I have to take my dutch OV card out of my wallet and store it elsewhere, OR take out the oyster to swipe it. Swiping my wallet, even swiping the Oyster and the OV together outside of the wallet, just doesn’t do it, and the arduino reader can’t make heads or tails of it either.

Also, mifare classics don’t have a very high yield antenna, so you’d have to get pretty close to people’s wallets with a reader even if they don’t use the two-cards-stacked-up trick.

So how important is this? Not that important if you ask me. Fail? Yes, Epic Fail? No – as far as I can tell you won’t see shady characters selling free unlimited Oyster cards, which is the biggest risk. Trying to steal other people’s 10-digit oyster numbers – well, if you’re going to get near people’s wallets, you might as well just lift the entire wallet, you’ll make a lot more money that way.

Now, if the card had its own account balance and that balance was authoritative, that would be a different story. But that’s not what’s going on here.

If there’s something I missed, by all means, correct me. Crypto is hard stuff to grok!