The recent court victory by Dutch academics, which allows them
to
publish how to crack the security used on London's Oyster travel
card, could create significant unanticipated cost to businesses
using the technology.
The Oyster card uses the same
MiFare Classic chip as do transport systems in Boston and the
Netherlands, as well as building access systems throughout Europe
and the US.
The team from Radboud University in the Netherlands were given
the go-ahead to publish by a Dutch judge who ruled that publishing
the article was covered by freedom of expression.
This has prompted fears of wide scaletravel card fraud and
people gaining unauthorised access to buildings. MiFare's makers,
Philips spin-off NXP,
tried to block publication, saying it would take months for users
to adapt systems.
Bart Jacobs, professor of computing security at Radboud
University, told Computer Weekly the aim of publication was to
enable people to make their own judgment on the seriousness of the
vulnerabilities of the smartcard technology.
In April, members of the Dutch team intercepted the
communication between an Oyster card and reader in London to crack
the cryptographic keys. This meant they could write information to
the card, enabling them to use it to travel free.
Risk analysis
Jacobs says his team of researchers has been warning
organisations that use MiFare to reconsider their risk analysis
since March. "Additional measures will have to be taken now that
the card is broken," he says.
Transport for London said it was
constantly reviewing security procedures and any fraudulent card
would be identified and blocked within 24 hours. "The MiFare
Classic chip is just one part of a number of security features of
the Oyster card system," a spokesman said.
Nic Mansfield, a security consultant to the
Organisation for Economic Co-operation and Development (OECD)
says the same is true for access cards, which are commonly backed
up by various checks and balances.
He says news of the Dutch research should have already prompted
a fresh risk analysis by users of MiFare, which could mean making
unplanned changes to systems and procedures.
This is bound to be costly for many of the organisations using
the MiFare technology, says Richard Brain, technical director at
security firm
Procheckup.
"It is debatable whether publishing the full research and
telling people how to hack MiFare cards is morally defensible,
because a lot of infrastructure will have to be changed or ripped
up," he says.
Publishing research
The research is to be published in October, but Brain says the
researchers should have instead worked with NXP and end users to
find a solution before going public.
Jacobs is critical of security suppliers who are secretive about
their systems and says customers should be skeptical of suppliers
who say: "Just trust us." He says secrecy is often used to conceal
failures.
Mansfield agrees, but says, "I can't accept that the only way
you can guarantee something is secure is by having an open debate
on the subject."
He says an independent expert assessment is usually acceptable
to suppliers and provides customers and their stakeholders the
assurance they need, but that risks should be reviewed continually
as technology evolves.