Questions raised about Oyster card security
Smartcards with encrypted RFID chips, including London’s Oyster fare card, might not be as secure as previously thought. New research at the University of Virginia is causing a major stir in Boston, because it raises question over the smart "CharlieCards" used by commuters on the city’s 'T' metro system.
However, London's Oyster card uses similar RFID technology - the Mifare Classic made by Philips spinoff NXP Semiconductors.
Work by University of Virginia graduate student Karsen Nohl and colleagues raises the spectre that thieves with just US$1,000 (£500) worth of equipment might be able to cracking smartcard encryption. They could then make fake cards to do everything from swipe fares to gain access to high-security areas.
More that a billion Mifare Classic chips have been sold around the world. Security experts have long known that such chips, which generally cost less than a dollar, were crackable, but didn't realise it could be so economically feasible.
Nohl and his team were able to listen to data broadcast by the chips using readily available RFID readers. They then dissected the layers of the chip via custom optical-recognition software to deduce the algorithm and encryption keys.
NXP has countered that only a portion of the cryptographic algorithm has been obtained by the researchers. However, the researchers have not disclosed their method fully, in an effort to keep those with bad intentions from copying them.
A video of the researchers' presentation called "Mifare: Little Security, Despite Obscurity," is available on Nohl's website.
There, Nohl humorously reassures that he and his colleagues have not found a way to crack credit-card security. "Please note that we have not compromised the security of credit cards, as some of the articles suggest," he writes.
"From what we can see, RFID-enabled credit cards have no security (yet?), and hence there is nothing to compromise."
A comment from Transport for London was not immediately forthcoming.
Reproduced from an article published by Computerworld UK
© Computerworld UK
The original article can be viewed here:
http://www.computerworlduk.com/technology/mobile-wireless/apps-rfid/news/in...
Permalink Bookmark Digg this story
