London Underground's Oyster Cards Cracked

Oyster cards, the high-tech RFID swipe cards used to gain access to the London Underground, have been pwned.

Pro crackers have unlocked the card's cryptography system, which turns out to be garbage of the "security through obscurity" order. Bruce Schneier asks, "when will people learn not to invent their own crypto?," a question which might echoed by anyone else dumb enough to have licensed Mifare.

All the researchers had to do was examine the chip's conductive pathways, as one might do to an old arcade chip to get it emulated in MAME.

"The research team was able to obtain the card's proprietary encryption scheme by physically dissecting its chip and examining it under a microscope. They then photographed various levels of its circuitry and used optical recognition software to produce a 3D representation of the entire chip. By examining the logic gates in great detail, they were able to deduce the proprietary algorithm, which NXP dubs Crypto1."

Perhaps peer review won't be too hard for this particular paper, if dodgy market stall operators catch my drift.

Posted in |

0 comments: