Transport for London (TfL) uses Oyster Cards for pre-paid
journeys on the Underground and buses. These rely on the Mifare
chip which is made by NXP, a spin-off from Philips. The cards can
be held to readers without having to come into physical contact
with them to pay for journeys. Critics have said in the past that
security procedures involved in the system may not be good
enough.
When researchers from Radboud University in the Netherlands
announced that they had cracked the chip security on the cards NXP
took out an injunction to stop the research being published.
Though NXP said that no useful purpose would be served by the
publication, the study was undertaken because the system is due to
be used in the Netherlands.
"The judge has ruled that publishing this scientific article
falls under the principle of freedom of expression and that in a
democratic society it is of great importance that the results of
scientific research can be published," said a statement by Radboud
University. "The article will be published at the beginning of
October during a scientific conference in Malaga in Spain."
NXP said that even with the information found by the Radboud
researchers it is difficult to circumvent the system, but that if
they published the exact methods they used to fool the Oyster
system in London, many people would be able to copy their
actions.
"Even if the algorithm is known, it still requires quite some
expertise to exploit it in an attack," said an NXP statement.
"Researchers of the Radboud University however have used the
knowledge of the algorithm to develop attacks to retrieve the keys
and the data that is stored on the MIFARE Classic card. In the case
that attack software and attack equipment would become available to
the public, then the hurdle for attacks would become low."
NXP said that it was disappointed at the ruling, and that not
every user of the system would be able to amend their systems in a
matter of months. For some, it said, it would take years.
The researchers said, though, that they had behaved with
impeccable researcher ethics.
"Driven by a sense of social responsibility, the University
immediately and confidentially informed the Dutch Government as
well as the manufacturer of the results of the independent research
on the Mifare Classic Chip," said the University. "Since March, the
researchers have deliberately withheld further details of the
imperfections of the chip in order to give those involved,
including NXP, the opportunity to take the necessary steps.
Publication of the scientific article was anticipated in October
2008 and in June the article was sent confidentially to NXP so that
NXP could ask for a legal opinion."
The University said that the judge had ruled that it had acted
with due care.
NXP said that it would send information on how to identify
abuses of the information to its customers. "There are techniques
and countermeasures to detect cards and data which have been
tampered with, some of which are described in the confidential
application notes published by NXP," it said.
The researchers found that not only could cloned cards be used
for free travel and topped-up with credit from a laptop computer,
but they could also be used to jam entry gates into the Tube
system.
