Report: Oyster card crypto leak

Discuss

28 Responses to “Report: Oyster card crypto leak”

  1. noen says:

    Ted
    I know data wants to be free, but trains don’t.

    The answer is above your post. Security via litigation is only the illusion of security. In the case of electronic voting machines they are not secure but the companies sue to prevent their vulnerabilities being known. This has the effect that it allows an unknown person or persons to commit election fraud. Given past statements from Diebold that may be what was wanted in the first place.

    As far as trains go I suppose having an insecure payment system might not be horrible. Only a few would be able to hack into it. The problem is that the system might be expanded to other uses. Which would also be insecure.

    These electronic cards are like paper money in that they represent value but have no intrinsic value of their own. Governments don’t permit paper money to be “hacked” or counterfeited. Why permit a level of counterfeit cards that would be unacceptable in paper money?

  2. chux0r says:

    I saw these guys present at CanSecWest (awesome hardware rev-engineering, the place erupted into applause when they finished) – but just to correct a bit if I can, they never once ripped on the engineers or the strength or quality of the crypto even though they discovered a weakness. They became interested in the hardware simply because of its age. It’s some old stuff, and they even said that the engineers who designed it way back when did a fine job, as back then detailed crypto knowledge was the sole domain of 3 lettered govt agencies. The only fault is that the parent company continued to sell it for years without evaluating whether or not its protections were still any good. These guys did it for them, bonus :)

  3. Anonymous says:

    Since I can’t see the demonstration video on the linked pages:
    http://www.youtube.com/watch?v=NW3RGbQTLhE

    As I see it they still require a working card held by a member of the paying public for their clone to work. And if the legit card user or some sort of auditing system notices that there are irregularities and notifies authorities, then the people who used the clone can be caught via surveillance over where the readers are, because the system would keep check of when the card was used regardless of the person who used it. -> New card issued with possible refund to legit person and police would be on the lookout for the people who used the cloned card, having some idea what they look like thanks to the surveillance footage.

  4. cypher423 says:

    NXP got wind of the publication, because a draft copy was sent to them by Radboud University as a courtesy.

    The PDF in the various links in the other comments is most likely not the paper that is being disputed by NXP, as that PDF has been available for months (since March) at arxiv.org (it is an interesting read, though).

  5. Thinkerer says:

    Security via litigation can have two outcomes; litigation after disclosure which is about as effective as a “morning after” pill for men, and litigation before disclosure which is prior restraint, and is generally repugnant and repressive.

    I’m wondering how NXP got wind of the publication in the first place?

  6. Thinkerer says:

    Security via litigation can have two outcomes; litigation after disclosure which is about as effective as a “morning after” pill for men, and litigation before disclosure which is prior restraint, and is generally repugnant and repressive.

    I’m wondering how NXP got wind of the publication in the first place?

  7. ted says:

    Is it just me who thinks that Oyster is a good system for encouraging people to leave the car at home and get on the tube, and that therefore leaking hacks which allow free riding might undermine a greater public good?

    I know data wants to be free, but trains don’t.

  8. spazzm says:

    I’m sort of agreeing with Ted on this one. But, on the other hand, if we muzzle academic freedom because some idiots couldn’t implement strong crypto, aren’t we undermining an even more important public good?

  9. reech says:

    @ted

    I’m not so sure that Oyster in itself is a ‘good system for encouraging people to leave the car at home and get on the tube’ – I think that would be a good public transport system – perhaps coupled with a *secure*, standards based payment system. Security by obscurity – and closed systems that aren’t subject to public scrutiny certainly undermines the public good.

  10. pique says:

    Very strange that the “server has crashed” and that 6,500 people need new cards!!!

    http://www.guardian.co.uk/uk/2008/jul/14/london.transport?gusrc=rss&feed=uknews

    Could this be related??

  11. asuffield says:

    So how important is this? Not that important if you ask me. Fail? Yes, Epic Fail? No – as far as I can tell you won’t see shady characters selling free unlimited Oyster cards, which is the biggest risk. Trying to steal other people’s 10-digit oyster numbers – well, if you’re going to get near people’s wallets, you might as well just lift the entire wallet, you’ll make a lot more money that way.

    Well, you could build a device to shove in your bag that simply lifts the ID number of the guy in front of you when he swipes his card on the turnstile (and then when it’s your turn, replay the number that you lifted yesterday). That’s basically the same thing.

    But there’s a more interesting application to all this. The Oyster system is one of the largest public transport surveillance systems in the UK – it generates a record of everybody’s movements, which can then be inspected by government snoops, employees of the operating company, their friends and relatives, and people who find laptops left on trains. This information could be used to anonymise the system again, by letting people swap their IDs (presumably you’d do this when your account balance was zero, and swap with a random stranger every week or two).

  12. Takuan says:

    if the public truly believes the government has all seeing, perfect surveillance, it makes it easy for the government to claim a target has transgressed and the clear proof exists without having to present it or even make a credible argument as to how this proof was got. The object of a surveillance society with no privacy is to create a population that does not even ask for evidence anymore.

  13. Keeper of the Lantern says:

    I wonder if this has anything to do with the fact that, much of Saturday, the entire Oyster Card system was down: Busses, tubes, none of them accepted the oyster card or any other payment all day this last Saturday.

  14. zuzu says:

    Free money! er, credit chits.

    Seriously, why haven’t people learned the lesson of implementing digital bearer settlement (e.g. DigiCash) by now? Strong cryptography FTW.

  15. Xeni Jardin says:

    d’oh thanks adding

  16. zuzu says:

    Free money! er, credit chits.

    Oops, I was thinking of the Octopus card at first. Guess I’ll have to wait a little longer for my shopping spree in Hong Kong.

    Still, free subway transit is cool too.

  17. oxymoron69 says:

    There appears to be nothing on the wikileaks site… all i see is:

    Censored Milfaire Classic Oyster Card break paper 2008

    There is currently no text in this page, you can search for this page title in other pages or edit this page.

    Hrm…

  18. themindfantastic says:

    Strong Crypto is publically reviewed crypto.

  19. univac99 says:

    looks like the page has been removed. use google cache or the link to the file: http://tinyurl.com/56hccu

  20. zuzu says:

    It still works for me, but maybe I’m viewing the cached version.

    Censored Milfaire Classic Oyster Card break paper 2008

    File
    * milfaire-classic-2008.pdf (click to view full file)
    * milfaire-classic-2008.pdf (alternative address)

    Analysis
    Carefully assess this document and post your findings.

    Summary
    Chip company NXP Semiconductors is to sue Radboud University in an attempt to halt the publication of a paper detailing the cryptographic cracking of the Oyster smartcard, used widely on the London transport network.
    The case is to be heard on Thursday in a court in Arnheim, NXP told ZDNet.co.uk on Tuesday. However, an NXP spokesperson declined to give any reasons at present for the company seeking to halt the publication.
    Researchers from the Radboud University in Nijmegen last month claimed to have cracked the security on the Oyster card, which uses an NXP chipset called Mifare Classic. The research had led on from a cryptographic crack of Mifare Classic by German researchers Karsten Nohl and Henryk Plötz.
    A spokesperson for Radboud University told ZDNet.co.uk that NXP wanted to stop publication of the paper due to “safety reasons”. However, the spokesperson said that the university intended to proceed with the publication of the research at the Esorics conference in Malaga in October. The court is expected to reach a decision next week. [1]
    This is the paper concerned, which can also be found at http://cryptome.org

    Context
    Netherlands
    University or research institution
    Rabound University

    Wikileaks release date
    Friday July 11, 2008

    Primary language
    English

    File size in bytes
    476671

    File type information
    PDF document, version 1.4

    Cryptographic identity
    SHA256 5f72046e9377aef8bbdc90e4fc519e84c0b74fedf9316102bf21918680f105fe

  21. Xenu says:

    Security via litigation… no that doesn’t seem like an effective tactic.

  22. zuzu says:

    Security via litigation… no that doesn’t seem like an effective tactic.

    Worked for Premier Election Solutions (i.e. Diebold) …right?

  23. Anonymous says:

    It’s also in arXiv if it happens to be taken off any other sites http://arxiv.org/abs/0803.2285

  24. rzwitserloot says:

    Summary of this comment: This hack isn’t very interesting, and for the one thing that could go wrong, practical advice on how to immunize yourself against it.

    As far as I understand it, this is how the Oyster system works:

    Your card has a 10-digit code in it. This 10-digit code is your ‘username and password’ for your account on the central Oyster server. Travelling deducts credits from your account. Charging your oyster charges that account. The account balance is *NOT* on the Oyster card itself. The oyster card could have been a barcode for all that. Of course, if you can copy someone else’s 10 digits, then you can use up their credit. I actually checked this out with an Arduino card reader. You can get the 10 digits out, no problem.

    Unfortunately you can’t just use any 10-digit mifare classic (like the Dutch OV card, also a 10-digit mifare classic – I actually checked this when I was in London), because when you buy an Oyster, the cashier swipes it and hits a special ‘activate’ button which makes a call to the central Oyster database that the charge machines won’t do. If you can convince the cashier to swipe your dutch OV card, or any other mifare classic, you can then use that as an oyster card. I actually like the idea of having one card that works across many different city/country transport nets, each country/city having its own balance.

    Anyway, the only risk, then, is someone reading your 10-digit, copying it onto a blank card, and travelling on your dime. You CANT create a magic free travel pass. Protecting yourself is trivially easy: Just layer 2 mifare classics one on top of the other. I checked this – you cannot read either when you do this. For example, when I’m in London, I have to take my dutch OV card out of my wallet and store it elsewhere, OR take out the oyster to swipe it. Swiping my wallet, even swiping the Oyster and the OV together outside of the wallet, just doesn’t do it, and the arduino reader can’t make heads or tails of it either.

    Also, mifare classics don’t have a very high yield antenna, so you’d have to get pretty close to people’s wallets with a reader even if they don’t use the two-cards-stacked-up trick.

    So how important is this? Not that important if you ask me. Fail? Yes, Epic Fail? No – as far as I can tell you won’t see shady characters selling free unlimited Oyster cards, which is the biggest risk. Trying to steal other people’s 10-digit oyster numbers – well, if you’re going to get near people’s wallets, you might as well just lift the entire wallet, you’ll make a lot more money that way.

    Now, if the card had its own account balance and that balance was authoritative, that would be a different story. But that’s not what’s going on here.

    If there’s something I missed, by all means, correct me. Crypto is hard stuff to grok!

  25. Anonymous says:

    And does no-one see the Little Brother links yet?… C’mon, this is almost exactly what Cory predicted.

    Never trust anyone over the age of twenty-five…

Leave a Reply