Oyster security breach could mean major headache for other MiFare users

The recent court victory by Dutch academics, which allows them to publish...

The recent court victory by Dutch academics, which allows them to publish how to crack the security used on London's Oyster travel card, could create significant unanticipated cost to businesses using the technology.

The Oyster card uses the same MiFare Classic chip as do transport systems in Boston and the Netherlands, as well as building access systems throughout Europe and the US.

The team from Radboud University in the Netherlands were given the go-ahead to publish by a Dutch judge who ruled that publishing the article was covered by freedom of expression.

This has prompted fears of wide scaletravel card fraud and people gaining unauthorised access to buildings. MiFare's makers, Philips spin-off NXP, tried to block publication, saying it would take months for users to adapt systems.

Bart Jacobs, professor of computing security at Radboud University, told Computer Weekly the aim of publication was to enable people to make their own judgment on the seriousness of the vulnerabilities of the smartcard technology.

In April, members of the Dutch team intercepted the communication between an Oyster card and reader in London to crack the cryptographic keys. This meant they could write information to the card, enabling them to use it to travel free.

Risk analysis

Jacobs says his team of researchers has been warning organisations that use MiFare to reconsider their risk analysis since March. "Additional measures will have to be taken now that the card is broken," he says.

Transport for London said it was constantly reviewing security procedures and any fraudulent card would be identified and blocked within 24 hours. "The MiFare Classic chip is just one part of a number of security features of the Oyster card system," a spokesman said.

Nic Mansfield, a security consultant to the Organisation for Economic Co-operation and Development (OECD) says the same is true for access cards, which are commonly backed up by various checks and balances.

He says news of the Dutch research should have already prompted a fresh risk analysis by users of MiFare, which could mean making unplanned changes to systems and procedures.

This is bound to be costly for many of the organisations using the MiFare technology, says Richard Brain, technical director at security firm Procheckup.

"It is debatable whether publishing the full research and telling people how to hack MiFare cards is morally defensible, because a lot of infrastructure will have to be changed or ripped up," he says.

Publishing research

The research is to be published in October, but Brain says the researchers should have instead worked with NXP and end users to find a solution before going public.

Jacobs is critical of security suppliers who are secretive about their systems and says customers should be skeptical of suppliers who say: "Just trust us." He says secrecy is often used to conceal failures.

Mansfield agrees, but says, "I can't accept that the only way you can guarantee something is secure is by having an open debate on the subject."

He says an independent expert assessment is usually acceptable to suppliers and provides customers and their stakeholders the assurance they need, but that risks should be reviewed continually as technology evolves.

Read more on Hackers and cybercrime prevention