Oyster Card RFID hack gets detailed

by Donald Melanson, posted Oct 7th 2008 at 8:02PM

The vulnerability of cards based on the Mifare Classic RFID chip (like the Oyster Card used for the London Underground) has been known for some time now but, unsurprisingly, some pesky legal business has prevented the complete details from being published. That has now finally been cleared up, however, and Professor Bart Jacobs and his colleagues from Radboud University have promptly published their complete paper online. What's more, NXP Semiconductors, makers of the Mifare chip, are also now commenting on the matter, and saying that it never intended to completely stop publication of the research, but rather that it simply wanted to give customers time to update their systems. NXP's Steve Owen also adds that the company now doesn't "recommend the use of Mifare Classic for new installations," and that it's "working with customers to review their security." Those looking to dig in can find the paper at the link below and, in case you missed it the first time around, there's a video explaining the basics after the break.

[Via BBC Click]

Filed under: Wireless

Tags: mifare, mifare classic, MifareClassic, nxp, oyster, oyster card, OysterCard, rfid, rfid hack, RfidHack

Subscribe to these comments

Reader Comments (Page 1 of 1)

Neutral

419Eater @ Oct 8th 2008 5:41PM

And of course, all he'll require is a small investment up front....

Neutral

Engadgetier @ Oct 7th 2008 8:13PM

Yah, that old security guy didnt see the guy with the laptop in the beginning. Arent there a lot of these roaming around ebay?

Neutral

Michael B @ Oct 8th 2008 12:49AM

I always see old security guards roaming around ebay :P

Neutral

Vagrant @ Oct 7th 2008 8:14PM

Cue RFID theme music.
http://www.archive.org/download/That_Sound_You_Hear_When_You_Lose_On_The_Price_Is_Right/Price_Is_Right_loser_clip.wav

Neutral

Flashpoint @ Oct 7th 2008 8:25PM

I voted you +1 simply because I found it hilarious that I could read your URL and it actualy said "the sound you hear when you lose the price is right..."

Neutral

Lowest Ranked @ Oct 7th 2008 8:27PM

http://www.what_the_hell_is_up_with_the_url_id_naming_scheme_on_archive_dot_org.net/

Neutral

waiownsyou @ Oct 7th 2008 8:14PM

OMG h4x!!

I'm more worried about them stealing data from my MasterCard's "PayPass" rather than opening some corporate door.

Neutral

crazyjoezx @ Oct 7th 2008 8:16PM

this is why the passport RFIDs are so dangerous ...

Neutral

Housen @ Oct 7th 2008 8:22PM

If only i had one of those...

The things i would do...

Highly Ranked

Flashpoint @ Oct 7th 2008 8:26PM

get locked up indefinitely.

Neutral

MMaster23 @ Oct 7th 2008 8:24PM

The Dutch state delaying the introduction of the new Mifare-based transport cards which were supposed to go online beginning 2008 and later got delayed again till way after 2009.

The entire system is crap from the start. The basic principle is just poor design.

Neutral

Fusion Fuzo @ Oct 7th 2008 8:32PM

fugly

Neutral

linuxamp @ Oct 7th 2008 11:59PM

Anyone know if Suica/Pasmo is based on Mifare Classic? Probably better to keep a very low balance on this until I find out.

Neutral

Vagrant @ Oct 8th 2008 4:26AM

It is my understanding that Suica uses the FeliCa tech made by Sony and you need to get the card pretty close to the scanner. I'm able to leave my card in a leather business card holder, but the side it's on must touch the scanner. That casual pass in the video wouldn't work with Suica. (Of course things get pretty close on the trains)

It would suck if my card was hijacked and was on empty when I needed some onigiri and a beer from the local 7&I.

Anyways, forget the whole RFID thing, why the hell do they use a penguin as a mascot for Suica? You figure they'd just put some eyes and a mouth on a watermelon. Was someone already using a watermelon as a mascot?

Neutral

j.pickens @ Oct 8th 2008 1:01AM

I have a feeling it would be good to start a foil-lined card pouch company right about now.

Neutral

Charlie Calhoun @ Oct 8th 2008 4:47AM

I've had this wallet for about 2 years now..

http://www.thinkgeek.com/gadgets/security/8cdd/

Neutral

Charlie Calhoun @ Oct 8th 2008 4:46AM

I remember watching this like a year ago.

Neutral

Rebecca @ NXP @ Oct 14th 2008 1:53PM

I work at NXP, and wanted to clarify one thing in this post.

The quote from Steve Owen is taken out of context here, as he recommends that the card alone should not be relied upon for secure access to buildings, but did not say that NXP now doesn't "recommend the use of Mifare Classic for new installations.” The original quote in the BBC can be found here: http://news.bbc.co.uk/2/hi/programmes/click_online/7655292.stm

For more information, you can find our holding statement here: http://news.cnet.com/8301-1009_3-10059605-83.html?part=rss&subj=news&tag=2547-1_3-0-20. Thanks!

Add your comments

Your comments:

Remember me

E-Mail me when someone replies to this comment

Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.

When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.

To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.