Oyster hack will be published, rules Dutch court

Out-Law News | 22 Jul 2008 | 2:25 pm | 2 min. read

A team of Dutch researchers has been given permission to publish details of how it cracked the security on which the pre-payment card for London's transport network is based.

Transport for London (TfL) uses Oyster Cards for pre-paid journeys on the Underground and buses. These rely on the Mifare chip which is made by NXP, a spin-off from Philips. The cards can be held to readers without having to come into physical contact with them to pay for journeys. Critics have said in the past that security procedures involved in the system may not be good enough.

When researchers from Radboud University in the Netherlands announced that they had cracked the chip security on the cards NXP took out an injunction to stop the research being published.

Though NXP said that no useful purpose would be served by the publication, the study was undertaken because the system is due to be used in the Netherlands.

"The judge has ruled that publishing this scientific article falls under the principle of freedom of expression and that in a democratic society it is of great importance that the results of scientific research can be published," said a statement by Radboud University. "The article will be published at the beginning of October during a scientific conference in Malaga in Spain."

NXP said that even with the information found by the Radboud researchers it is difficult to circumvent the system, but that if they published the exact methods they used to fool the Oyster system in London, many people would be able to copy their actions.

"Even if the algorithm is known, it still requires quite some expertise to exploit it in an attack," said an NXP statement. "Researchers of the Radboud University however have used the knowledge of the algorithm to develop attacks to retrieve the keys and the data that is stored on the MIFARE Classic card. In the case that attack software and attack equipment would become available to the public, then the hurdle for attacks would become low."

NXP said that it was disappointed at the ruling, and that not every user of the system would be able to amend their systems in a matter of months. For some, it said, it would take years.

The researchers said, though, that they had behaved with impeccable researcher ethics.

"Driven by a sense of social responsibility, the University immediately and confidentially informed the Dutch Government as well as the manufacturer of the results of the independent research on the Mifare Classic Chip," said the University. "Since March, the researchers have deliberately withheld further details of the imperfections of the chip in order to give those involved, including NXP, the opportunity to take the necessary steps. Publication of the scientific article was anticipated in October 2008 and in June the article was sent confidentially to NXP so that NXP could ask for a legal opinion."

The University said that the judge had ruled that it had acted with due care.

NXP said that it would send information on how to identify abuses of the information to its customers. "There are techniques and countermeasures to detect cards and data which have been tampered with, some of which are described in the confidential application notes published by NXP," it said.

The researchers found that not only could cloned cards be used for free travel and topped-up with credit from a laptop computer, but they could also be used to jam entry gates into the Tube system.