Dutch researchers will be able to publish their controversial report on the Mifare Classic (Oyster) RFID chip in October, a Dutch judge ruled today. Researchers from Radboud University in Nijmegen revealed two weeks ago they had cracked and cloned London's Oyster travelcard and the Dutch public transportation travelcard, which …
Thank heavens good sense prevailed over corporate stupidity.... don't those idiots know any history? There was a nasty chappie some 70 years ago who thought that his nice type-writer machiney thingy was totally secure. Only nobody bothered to check if this was the case. Net result: they had a scrap with their neighbours and lost! Proper security is difficult. (apologies to the purists who'll scream over my scrappy posting... ) :)
Company tries to stamp on others' rights and fails
In a better society this wouldn't be newsworthy. Oh well - at least the world hasn't gone to pot just yet.
Where's the download link?
Obfuscation is not Security
If a security flaw exists, hiding it does not provide security. Hiding it only makes it harder for users to protect themselves and for authorities to investigate when users are victimized. Companies that rely on obfuscation of flawed security should be subject to criminal as well as civil penalties for engaging in fraud.
Soon then, the world really is going to be my Oyster
Hihaa Free ride
on the tube.
Last Saturday cockup tells there is no need to hack the Oyster ... TfL will fry them for you.
/mine's the aluminium lined one
While "the publication of scientific studies carries a lot of weight in a democratic society", it seems the general (commenting) public is more excited about getting a free ride or beating "the man"
I know of at least 1 major university which uses this chip in it's security cards. As well as libraries and laundries, a few minor facilities such as animal labs and a small nuclear reactor are also behind doors with RFID security.
This could be a problem
Re: robin hood
'While "the publication of scientific studies carries a lot of weight in a democratic society", it seems the general (commenting) public is more excited about getting a free ride or beating "the man"'
If you're using this commenting section as "the general (commenting) public", at least at the time I'm posting this, it looks to be about 50/50 between people happy at having rights and liberties protected and those interested in a free ride. In addition, the "rights and liberties" brigade are clearly serious, while the "free ride" people seem to be mostly joking.
A better title...
would be "Greedy fucking bastards not allowed to hide the truth."
'twas ever thus
The idea of a card that can be downloaded with money to be uploaded into various shops, hotels, means of transport, etc. seems to be a great idea.
Years ago we had the "Mondex" card, which was designed to be filled with cash that could be spent as easily as real cash.
The problem with all of these ideas (and this includes cash and banknotes) is forgery. If you can make it, I can copy it....eventually. For years the banks and similar establishments have relied on the security of banknotes, credit cards, on-line systems, etc. to provide a useful service to their customers. But it's an arms race and the criminals amongst us eventually find a way to hijack the system to defraud the public. Sometimes this is the result of some ingenious design or an advance in technology, but sometimes it's down to the providers being remarkably dumb and underestimating the intelligence of the criminals.
A classic case is the new "chip & PIN" card. It was designed to be impossible to crack or copy but, rather stupidly, it carries a magnetic strip containing exactly the same data, and which is about as difficult to copy as an audio tape. Doh!
We should remember that whenever a big corporation gets stiffed by forgers, it's you and I that end up paying for it.
Whatever happened to the belief...
That you should never tell the emperor he has no clothes on!! I mean, its more important to promote a secure product than actually build one, right?
What do you want these days? Craftmanship and professionalism? You know how much it costs to find that kind of work on an outsourced basis?
Reap what you sow NXP
I wonder if governments and universities will trust "actually secure this time", but still proprietary protocol version 2, or (hopefully this) is this a big nail in the coffin of such things.
Re: Hang on...
If they're that concerned then they've got a couple of months to replace their security systems. Always assuming they haven't already been hacked... At least now there's justification to invest in a different security system.
why do they keep calling them "smart" cards?
It isn't "smart" to embed authority into a programmable device. Duh! Smart is making the tokens cost more than the value they carry, so forgery is doing you a favor. Smart is people in the loop. With all their problems, they are still quite competitive with low power processors available in the forseeable future. Duh #2!
What is smart is to sue the maker for nod disclosing weaknesses in the system, making the vendor pay for replacement of the systems. How many times would you have to do this before the "smart" claim went away. Vendors might still sell the things, but they would have to humbly advertise their weaknesses as well as their strengths.
Anonymous? Because I can. Except for El Reg of course, and anyone snooping my IP address... And anyone analyzing the word usage in my posts. Aaaaand the black helicopter crowd who made me post this with their mind control rays. My wife said, "Don't take off that tinfoil", but did I listen? Oh nooooo.
Does it really matter?
So long as nobody thinks this is fully secure there is no problem.
Various systems work fine with less-than secure identification.
*Barcodes, for instance are used in all sorts of situation and can be readily duplicated with a photocopier or a pen and paper.
* Physical keys can be easily duplicated using a file. Locks can be readily opened by "bumping".
Being able to fool some technology does not make it legal.
Coop-Door Open, Possum's Got the Chickens
"Spokesperson for NXP Martijn van der Linden said that publishing the report would be "irresponsible" - understandably, the company fears criminals will be able to attack Mifare Classic-based systems."
Criminals already ARE ATTACKING your systems; the first ones are smart enough to keep a low profile so as to not draw attention to themselves. You ought to be thankful that the folks at Radboud did what your incompetent security toads failed to do. Do you really think THE CRIMINALS would notify you of the security hole?
So cracking is "scientific studies"?
Has anybody got a "scientifically studied" copy of Photoshop CS3?
... It's not about shellfish
I need to get out more
Not all locks can be bumped. All it takes is a little change to the tumblers to stop that attack.
And some locks(those with circular keys, or those with the 'half circle' cross-section where the 'notches' are cut at varying angles) are intrinsically safe from these attacks.
(The last one is also almost impossible to pick. Not saying completely impossible as someone is bound to say they did it)
And not all keys can be copied with a file, either.
For some you need blanks not commercially available, or part of the profile must be routed. It can still be copied, but the time and expense increases drastically.
No system is completely tamper-proof or impenetrable. What we pay for is the amount of time and effort it will take an attacker to get past it.
And in the case of the Oyster, well... seems people aren't getting their money's worth...
Whether to call this Hacking or Cracking...
It wasn't done to gain unauthorized entry, so I'm calling it Hacking.
HackCon #2 survivor...
Come on El Reg, let me post it...
For those who want to read the paper: http://eprint.iacr.org/2008/166
Come on El Reg: Let me post it already!
Premium Prime Novel Power for ITs Youth Giving Properties
"I know of at least 1 major university which uses this chip in it's security cards. As well as libraries and laundries, a few minor facilities such as animal labs and a small nuclear reactor are also behind doors with RFID security.
This could be a problem" .... By Anonymous Coward
Posted Friday 18th July 2008 18:03 GMT
It is also an Opportunity for some Youthful Direction with Academe Intelligence Mentoring. So Very Typically ITs dDutch and AIVD. ESPecial Forces Defence.
Be Aware [and don't say you were not Warned] of Addictive NEUKlearer Entanglement with One Honey Mother of a Money Trap ... which is an Interesting Twist on the more Usual Man Trap/UltiMate Failing.
Cloned cards already in use in London?
The last couple of weeks have been a laugh a minute for me, at the Oyster big brother system and their corporate suppliers.
2 weeks ago a Uni announces they have figured out how to clone the cards. This means that the type of cards they cloned have been clonable since they have been on the market, even though the manufacturer claimed otherwise.
1 week ago the Oyster card system breaks in London, early on a Sunday morning. I assume this is the quietest time for TFL? If so, I guess the break was caused by the roll out of a patch or update. And I wonder what that patch did? Perhaps it was to try and mitigate the effects of possibly cloned cards?
The way the Oyster cards work is that the card itself holds the credit, so when you use an Oyster card it doesn't go away to a central point to confirm yes or no, like credit^W debt cards do. This means that if you were able to clone Oyster cards the clone would probably work successfully for quite a while. I bet the backend systems were not designed to take real-time authorisation checks, so if the change TFL made added this, or even just real-time auth for every 100th card presented, the central servers could have croaked it, killing the whole system for a several hours.
Of course, the Oyster maker's attitude of wanting security through obscurity overlooks a glaring piece of logic: If those Dutch researchers could figure out how to clone the cards, then other people also would be able to. It stands to reason that cloned cards are already being used.
Personally I am happy that the Oyster card thing is being toppled. Yeah, I know it adds convenience to travelling in the big smoke, but the tracking abilities it provides are horrific, and to me doen't make the system worthwhile. And the implementation in London means that the beaurocrats will always win if there is a dispute over fares and fines etc..
And the British government wants to adopt an electronic ID card?
When will they see sense - probably not until after millions of people's identities have been compromised.
I'm waiting for the full story
Because I want to know just what was broken in the design?
Just how clever would the crooks have to be?
You got to feel sorry for NXP
You have a large installed userbase and then someone wants to go public with something before you've had a chance to fix it. Revising the security and spinning a new chip out isn't quick and isn't cheap.
A few years back ITV digital had it's security totally cracked, everyone had fake cards, it collapsed and Sky could breath easy again. I wonder who did the crack on the ITV card?
Are there any large corporate donors to that university??
Mondex was actually well engineered, even from the crypto point of view. It was the customer usage that wasn't well planned.
Mifare is a piece of junk, with "encryption" that even an undergrad can see problems with, and it should surprise no-one that an optimised attack has been devised. Given the amount of silicon used a competent engineer could have done a far better job.
Put simply mifare is unfit for purpose, and NXP would like to keep that quiet less they get their arses sued off by all the companies that have invested in it.
No, they'd never let that study about how oysters feel pain, form strong family bonds, have an ultrasonic musical ability of unfathomable complexity and beauty yet are filled to the brim of toxic algae, heavy metals and fecal matter get out to the public. That sort of information undermines the very generation of the human species as it is vital to the reproductive strategies of millions; ripping off tfl is practically noble by comparison.
[Ms Hilton "free ride with her oyster" joke deleted]
When I was 18 (20 years ago)
I suggested to a friend that car number plates could be cloned and used in conjunction with the same car colour/make/year. If crims had "his" car reg number on the "same" car, plod would waste a lot of time chasing him instead of the crims. He gave me a rather worried look and mumbled "that would work". It didn't seem to be as prolific back then as it is now.
Now plod has plate recognition, it makes me wonder how many crims have used this method to get stolen cars out of the country?
Correct me if I am wrong, but I seem to remember this university (on these hallowed pages) said that 127 bytes of virus code could be stored on these things. Crustacean Card has performed an Illegal operation and will be shut down, along with the rest of the system.
@Hihaa Free ride
Also, free toll pass, free parking, free theme park entrance...
Mine's the one with the portable chronosphere in the pocket.
Ok, I am a purist here, and I'm not going to complain about your post. There were a few events in WW2 that can be argued to have won the war and I'll list them in order of importance (in my humble opinion).
1) Stalingrad. Thank the Russians for this victory - it prevented access to the Caucasus oil.
2) Enigma. Thanks to the Poles who cracked it. This one kept the Atlantic open, and kept the Allied troops supplied.
3) Pearl Harbour. Thank the Japanese for waking a sleeping giant. Crucially a sleeping giant whose factories couldn't easily be bombed.
4) Battle of Britain. First one the British Empire can receive thanks for. Giving a base for attacking Germany, both for Empire and American troops.
A final, rather more on topic point, to anyone pointing out that Nuclear reactors might be protected with RFID chips. If someone is protecting their most valuable assets using only a few RFID chips then they deserve to have everything stolen. Furthermore, if something as key as a Nuclear reactor was being protected with only an RFID security system, then all manner of government regulations would be in the process of being broken.
Re; Coop-Door Open
Oh, do supermarkets use them then?
Re: Crypto Info.
If NXP hadn't spent all that time arguing and actually got down to correcting this, then this wouldn't be quite a bad as it seems.
I do love the quote NXP came out with, "...this will damage society...". No, this will damage your profits, especially when new customers see this, they may well start looking at competitors products.
- Vid Antarctic ice THICKER than first feared – penguin-bot boffins
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Antique Code Show World of Warcraft then and now: From Orcs and Humans to Warlords of Draenor
- Product round-up Trousers down for six of the best affordable Androids