Oyster Card RFID hack gets detailed
By Donald Melanson 
posted Oct 7th 2008 8:02PM
posted Oct 7th 2008 8:02PM
The vulnerability of cards based on the Mifare Classic RFID chip (like the Oyster Card used for the London Underground) has been known for some time now but, unsurprisingly, some pesky legal business has prevented the complete details from being published. That has now finally been cleared up, however, and Professor Bart Jacobs and his colleagues from Radboud University have promptly published their complete paper online. What's more, NXP Semiconductors, makers of the Mifare chip, are also now commenting on the matter, and saying that it never intended to completely stop publication of the research, but rather that it simply wanted to give customers time to update their systems. NXP's Steve Owen also adds that the company now doesn't "recommend the use of Mifare Classic for new installations," and that it's "working with customers to review their security." Those looking to dig in can find the paper at the link below and, in case you missed it the first time around, there's a video explaining the basics after the break.
[Via BBC Click]
[Via BBC Click]
And of course, all he'll require is a small investment up front....
Yah, that old security guy didnt see the guy with the laptop in the beginning. Arent there a lot of these roaming around ebay?
I always see old security guards roaming around ebay :P
Cue RFID theme music.
http://www.archive.org/download/That_Sound_You_Hear_When_You_Lose_On_The_Price_Is_Right/Price_Is_Right_loser_clip.wav
I voted you +1 simply because I found it hilarious that I could read your URL and it actualy said "the sound you hear when you lose the price is right..."
http://www.what_the_hell_is_up_with_the_url_id_naming_scheme_on_archive_dot_org.net/
this is why the passport RFIDs are so dangerous ...
OMG h4x!!
I'm more worried about them stealing data from my MasterCard's "PayPass" rather than opening some corporate door.
If only i had one of those...
The things i would do...
get locked up indefinitely.
The Dutch state delaying the introduction of the new Mifare-based transport cards which were supposed to go online beginning 2008 and later got delayed again till way after 2009.
The entire system is crap from the start. The basic principle is just poor design.
fugly
Anyone know if Suica/Pasmo is based on Mifare Classic? Probably better to keep a very low balance on this until I find out.
It is my understanding that Suica uses the FeliCa tech made by Sony and you need to get the card pretty close to the scanner. I'm able to leave my card in a leather business card holder, but the side it's on must touch the scanner. That casual pass in the video wouldn't work with Suica. (Of course things get pretty close on the trains)
It would suck if my card was hijacked and was on empty when I needed some onigiri and a beer from the local 7&I.
Anyways, forget the whole RFID thing, why the hell do they use a penguin as a mascot for Suica? You figure they'd just put some eyes and a mouth on a watermelon. Was someone already using a watermelon as a mascot?
I have a feeling it would be good to start a foil-lined card pouch company right about now.
I've had this wallet for about 2 years now..
http://www.thinkgeek.com/gadgets/security/8cdd/
I remember watching this like a year ago.
I work at NXP, and wanted to clarify one thing in this post.
The quote from Steve Owen is taken out of context here, as he recommends that the card alone should not be relied upon for secure access to buildings, but did not say that NXP now doesn't "recommend the use of Mifare Classic for new installations.” The original quote in the BBC can be found here: http://news.bbc.co.uk/2/hi/programmes/click_online/7655292.stm
For more information, you can find our holding statement here: http://news.cnet.com/8301-1009_3-10059605-83.html?part=rss&subj=news&tag=2547-1_3-0-20. Thanks!