Dutch university can publish controversial Oyster research Dutch researchers will be able to publish their controversial report on the Mifare Classic (Oyster) RFID chip in October, a Dutch judge ruled today. Researchers from Radboud University in Nijmegen revealed two weeks ago they had cracked and cloned London's Oyster travelcard and the Dutch public transportation travelcard, which …
Thank heavens good sense prevailed over corporate stupidity.... don't those idiots know any history? There was a nasty chappie some 70 years ago who thought that his nice type-writer machiney thingy was totally secure. Only nobody bothered to check if this was the case. Net result: they had a scrap with their neighbours and lost! Proper security is difficult. (apologies to the purists who'll scream over my scrappy posting... ) :)
If a security flaw exists, hiding it does not provide security. Hiding it only makes it harder for users to protect themselves and for authorities to investigate when users are victimized. Companies that rely on obfuscation of flawed security should be subject to criminal as well as civil penalties for engaging in fraud.
'While "the publication of scientific studies carries a lot of weight in a democratic society", it seems the general (commenting) public is more excited about getting a free ride or beating "the man"'
If you're using this commenting section as "the general (commenting) public", at least at the time I'm posting this, it looks to be about 50/50 between people happy at having rights and liberties protected and those interested in a free ride. In addition, the "rights and liberties" brigade are clearly serious, while the "free ride" people seem to be mostly joking.
-Daniel
The idea of a card that can be downloaded with money to be uploaded into various shops, hotels, means of transport, etc. seems to be a great idea.
Years ago we had the "Mondex" card, which was designed to be filled with cash that could be spent as easily as real cash.
The problem with all of these ideas (and this includes cash and banknotes) is forgery. If you can make it, I can copy it....eventually. For years the banks and similar establishments have relied on the security of banknotes, credit cards, on-line systems, etc. to provide a useful service to their customers. But it's an arms race and the criminals amongst us eventually find a way to hijack the system to defraud the public. Sometimes this is the result of some ingenious design or an advance in technology, but sometimes it's down to the providers being remarkably dumb and underestimating the intelligence of the criminals.
A classic case is the new "chip & PIN" card. It was designed to be impossible to crack or copy but, rather stupidly, it carries a magnetic strip containing exactly the same data, and which is about as difficult to copy as an audio tape. Doh!
We should remember that whenever a big corporation gets stiffed by forgers, it's you and I that end up paying for it.
That you should never tell the emperor he has no clothes on!! I mean, its more important to promote a secure product than actually build one, right?
What do you want these days? Craftmanship and professionalism? You know how much it costs to find that kind of work on an outsourced basis?
It isn't "smart" to embed authority into a programmable device. Duh! Smart is making the tokens cost more than the value they carry, so forgery is doing you a favor. Smart is people in the loop. With all their problems, they are still quite competitive with low power processors available in the forseeable future. Duh #2!
What is smart is to sue the maker for nod disclosing weaknesses in the system, making the vendor pay for replacement of the systems. How many times would you have to do this before the "smart" claim went away. Vendors might still sell the things, but they would have to humbly advertise their weaknesses as well as their strengths.
Anonymous? Because I can. Except for El Reg of course, and anyone snooping my IP address... And anyone analyzing the word usage in my posts. Aaaaand the black helicopter crowd who made me post this with their mind control rays. My wife said, "Don't take off that tinfoil", but did I listen? Oh nooooo.
So long as nobody thinks this is fully secure there is no problem.
Various systems work fine with less-than secure identification.
*Barcodes, for instance are used in all sorts of situation and can be readily duplicated with a photocopier or a pen and paper.
* Physical keys can be easily duplicated using a file. Locks can be readily opened by "bumping".
Being able to fool some technology does not make it legal.
"Spokesperson for NXP Martijn van der Linden said that publishing the report would be "irresponsible" - understandably, the company fears criminals will be able to attack Mifare Classic-based systems."
Criminals already ARE ATTACKING your systems; the first ones are smart enough to keep a low profile so as to not draw attention to themselves. You ought to be thankful that the folks at Radboud did what your incompetent security toads failed to do. Do you really think THE CRIMINALS would notify you of the security hole?
Not all locks can be bumped. All it takes is a little change to the tumblers to stop that attack.
And some locks(those with circular keys, or those with the 'half circle' cross-section where the 'notches' are cut at varying angles) are intrinsically safe from these attacks.
(The last one is also almost impossible to pick. Not saying completely impossible as someone is bound to say they did it)
And not all keys can be copied with a file, either.
For some you need blanks not commercially available, or part of the profile must be routed. It can still be copied, but the time and expense increases drastically.
No system is completely tamper-proof or impenetrable. What we pay for is the amount of time and effort it will take an attacker to get past it.
And in the case of the Oyster, well... seems people aren't getting their money's worth...
Whether to call this Hacking or Cracking...
It wasn't done to gain unauthorized entry, so I'm calling it Hacking.
HackCon #2 survivor...
"I know of at least 1 major university which uses this chip in it's security cards. As well as libraries and laundries, a few minor facilities such as animal labs and a small nuclear reactor are also behind doors with RFID security.
This could be a problem" .... By Anonymous Coward
Posted Friday 18th July 2008 18:03 GMT
AC,
It is also an Opportunity for some Youthful Direction with Academe Intelligence Mentoring. So Very Typically ITs dDutch and AIVD. ESPecial Forces Defence.
Be Aware [and don't say you were not Warned] of Addictive NEUKlearer Entanglement with One Honey Mother of a Money Trap ... which is an Interesting Twist on the more Usual Man Trap/UltiMate Failing.
The last couple of weeks have been a laugh a minute for me, at the Oyster big brother system and their corporate suppliers.
2 weeks ago a Uni announces they have figured out how to clone the cards. This means that the type of cards they cloned have been clonable since they have been on the market, even though the manufacturer claimed otherwise.
1 week ago the Oyster card system breaks in London, early on a Sunday morning. I assume this is the quietest time for TFL? If so, I guess the break was caused by the roll out of a patch or update. And I wonder what that patch did? Perhaps it was to try and mitigate the effects of possibly cloned cards?
The way the Oyster cards work is that the card itself holds the credit, so when you use an Oyster card it doesn't go away to a central point to confirm yes or no, like credit^W debt cards do. This means that if you were able to clone Oyster cards the clone would probably work successfully for quite a while. I bet the backend systems were not designed to take real-time authorisation checks, so if the change TFL made added this, or even just real-time auth for every 100th card presented, the central servers could have croaked it, killing the whole system for a several hours.
Of course, the Oyster maker's attitude of wanting security through obscurity overlooks a glaring piece of logic: If those Dutch researchers could figure out how to clone the cards, then other people also would be able to. It stands to reason that cloned cards are already being used.
Personally I am happy that the Oyster card thing is being toppled. Yeah, I know it adds convenience to travelling in the big smoke, but the tracking abilities it provides are horrific, and to me doen't make the system worthwhile. And the implementation in London means that the beaurocrats will always win if there is a dispute over fares and fines etc..
You have a large installed userbase and then someone wants to go public with something before you've had a chance to fix it. Revising the security and spinning a new chip out isn't quick and isn't cheap.
A few years back ITV digital had it's security totally cracked, everyone had fake cards, it collapsed and Sky could breath easy again. I wonder who did the crack on the ITV card?
Are there any large corporate donors to that university??
Mondex was actually well engineered, even from the crypto point of view. It was the customer usage that wasn't well planned.
Mifare is a piece of junk, with "encryption" that even an undergrad can see problems with, and it should surprise no-one that an optimised attack has been devised. Given the amount of silicon used a competent engineer could have done a far better job.
Put simply mifare is unfit for purpose, and NXP would like to keep that quiet less they get their arses sued off by all the companies that have invested in it.
No, they'd never let that study about how oysters feel pain, form strong family bonds, have an ultrasonic musical ability of unfathomable complexity and beauty yet are filled to the brim of toxic algae, heavy metals and fecal matter get out to the public. That sort of information undermines the very generation of the human species as it is vital to the reproductive strategies of millions; ripping off tfl is practically noble by comparison.
[Ms Hilton "free ride with her oyster" joke deleted]
I suggested to a friend that car number plates could be cloned and used in conjunction with the same car colour/make/year. If crims had "his" car reg number on the "same" car, plod would waste a lot of time chasing him instead of the crims. He gave me a rather worried look and mumbled "that would work". It didn't seem to be as prolific back then as it is now.
Now plod has plate recognition, it makes me wonder how many crims have used this method to get stolen cars out of the country?
Correct me if I am wrong, but I seem to remember this university (on these hallowed pages) said that 127 bytes of virus code could be stored on these things. Crustacean Card has performed an Illegal operation and will be shut down, along with the rest of the system.
Ok, I am a purist here, and I'm not going to complain about your post. There were a few events in WW2 that can be argued to have won the war and I'll list them in order of importance (in my humble opinion).
1) Stalingrad. Thank the Russians for this victory - it prevented access to the Caucasus oil.
2) Enigma. Thanks to the Poles who cracked it. This one kept the Atlantic open, and kept the Allied troops supplied.
3) Pearl Harbour. Thank the Japanese for waking a sleeping giant. Crucially a sleeping giant whose factories couldn't easily be bombed.
4) Battle of Britain. First one the British Empire can receive thanks for. Giving a base for attacking Germany, both for Empire and American troops.
A final, rather more on topic point, to anyone pointing out that Nuclear reactors might be protected with RFID chips. If someone is protecting their most valuable assets using only a few RFID chips then they deserve to have everything stolen. Furthermore, if something as key as a Nuclear reactor was being protected with only an RFID security system, then all manner of government regulations would be in the process of being broken.
If NXP hadn't spent all that time arguing and actually got down to correcting this, then this wouldn't be quite a bad as it seems.
I do love the quote NXP came out with, "...this will damage society...". No, this will damage your profits, especially when new customers see this, they may well start looking at competitors products.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
