"Details of how to copy the Oyster cards used on London's transport network
can be published, a Dutch judge has ruled. "

See http://news.bbc.co.uk/1/hi/technology/7516869.stm
MaxB

"Batman55" gurgled happily, sounding much like
they were saying:

"Details of how to copy the Oyster cards used on London's transport
network can be published, a Dutch judge has ruled. "

See http://news.bbc.co.uk/1/hi/technology/7516869.stm MaxB

And quite right too. Security by obscurity is a laughable farce.

Adrian wrote:
"Batman55" gurgled happily, sounding much like
they were saying:

"Details of how to copy the Oyster cards used on London's transport
network can be published, a Dutch judge has ruled. "

See http://news.bbc.co.uk/1/hi/technology/7516869.stm MaxB

And quite right too. Security by obscurity is a laughable farce.

Indeed. What NXP were trying to do smacks of claiming you can walk
safely off Beachy Head after banning the teaching of the Theory of Gravity.

Tom

On Jul 21, 6:25 pm, Tom Barry wrote:
Adrian wrote:
"Batman55" gurgled happily, sounding much like
they were saying:

"Details of how to copy the Oyster cards used on London's transport
network can be published, a Dutch judge has ruled. "

Seehttp://news.bbc.co.uk/1/hi/technology/7516869.stmMaxB

And quite right too. Security by obscurity is a laughable farce.

Indeed. What NXP were trying to do smacks of claiming you can walk
safely off Beachy Head after banning the teaching of the Theory of Gravity.

I notice LUL are still claiming Oyster security is perfectly ok. Do
they live in a parallel universe or something?
The sooner this whole Oyster card b0ll0cks is blown apart the better ,
then we can get back to normal tickets without any you-forgot-to-touch-
out scams.

B2003

On Jul 22, 9:40 am, wrote:
On Jul 21, 6:25 pm, Tom Barry wrote:

Adrian wrote:
"Batman55" gurgled happily, sounding much like
they were saying:

"Details of how to copy the Oyster cards used on London's transport
network can be published, a Dutch judge has ruled. "

Seehttp://news.bbc.co.uk/1/hi/technology/7516869.stmMaxB

And quite right too. Security by obscurity is a laughable farce.

Indeed. What NXP were trying to do smacks of claiming you can walk
safely off Beachy Head after banning the teaching of the Theory of Gravity.

I notice LUL are still claiming Oyster security is perfectly ok. Do
they live in a parallel universe or something?
The sooner this whole Oyster card b0ll0cks is blown apart the better ,
then we can get back to normal tickets without any you-forgot-to-touch-
out scams.

We don't know what the technique is yet. But assuming TfL have cameras
watching all the gates and centralized instant access to every card
being used then it's not going to be too easy to exploit even if
cloning the card is a simple as running it through a photocopier.

The easiest exploit is going to be when a few people get together to
exploit the cap. Assuming that only one person uses the card at a time
then AFAIAA technically they're not breaking the rules so long as they
actually exchange the card. Cloning allows them to skip the need to
physically swap the card but can be detected if the card is used at
two remote stations too quickly.

I don't know if weekly travelcards need photo ID as well. If not then
that's potentially another exploit for people who travel between
ungated stations. Because it's not necessary to touch in/touch out
with a travelcard, the chance of both clones getting inspected close
enough in time to detect a duplication is probably minimal. Of course,
the obvious initial step to stop this will be to make it a requirement
for travelcard holders to touch in and touch out - although I believe
there are still some stations where this isn't possible there are
going to be few journeys where it can't happen at either end.

It's also possible that the central computer can detect a card being
used that has a "missing" journey on it - I'm not sure how much
information is recorded on the card - which would make using even a
cloned, capped, PAYG stick out like a sore thumb.

The other attack is to clone someones card as then exit the tube -
shouldn't be too hard to scan their card if, like me, they just stick
it in their trouser pocket and the area is crowded enough. If it's
then trivial to clone that info onto another card then someone could
make a free journey with no flags showing. It would be the innocent
cardholder who would get flagged. But again, such an attack is going
to show up on CCTV eventually and it's going to involve at the very
least people wandering around with laptops to read and reprogram cards
and I don't see it as being a significant revenue risk to TfL -
although it could be a significant risk to users if they're one of the
unlucky ones who's card gets cloned. Expect wallets with tinfoil so
you have to open the wallet to let the card be read if this sort of
attack looks like it might be happening.

Tim.

On Jul 22, 10:24 am, "
wrote:
We don't know what the technique is yet. But assuming TfL have cameras
watching all the gates and centralized instant access to every card
being used then it's not going to be too easy to exploit even if
cloning the card is a simple as running it through a photocopier.

Most CCTV images are rubbish and I doubt they'll have the police on
standby all to catch the person next time they try and use a gate. As
soon as the card is blocked they'll bin it and use another.

actually exchange the card. Cloning allows them to skip the need to
physically swap the card but can be detected if the card is used at
two remote stations too quickly.

It all depends if the serial number can be modified. According to this
document:

http://www.nxp.com/acrobat/other/ide...S50_rev5_3.pdf

its write protected after manufacture. Though given NXPs recent
bluffing I'd take that with a pinch off salt.

Assuming they can change the serial number and the gates don't store a
complete list of valid cards its simply a matter of changing the
number as soon as the card is blocked.

I don't know if weekly travelcards need photo ID as well. If not then

I don't think they've needed a photo card for a long time.

The other attack is to clone someones card as then exit the tube -
shouldn't be too hard to scan their card if, like me, they just stick
it in their trouser pocket and the area is crowded enough. If it's

No , thats probably not possible. This isn't a powered wireless system
such as bluetooth waiting to be contacted. Its powered by the RF it
gets through its antenna and for that to be strong enough its got to
be very close to the transmitter coil or you need a socking powerful
transmitter which isn't going to fit in the palm of someones hand and
would probably give the user RF burns even if it did. Even if you
could power up an Oyster from a few feet away odds are you might not
be able to read the reply anyway if it gives off a really low power
signal.

B2003

On Jul 22, 10:56 am, wrote:
On Jul 22, 10:24 am, "
wrote:

We don't know what the technique is yet. But assuming TfL have cameras
watching all the gates and centralized instant access to every card
being used then it's not going to be too easy to exploit even if
cloning the card is a simple as running it through a photocopier.

Most CCTV images are rubbish and I doubt they'll have the police on
standby all to catch the person next time they try and use a gate. As
soon as the card is blocked they'll bin it and use another.

actually exchange the card. Cloning allows them to skip the need to
physically swap the card but can be detected if the card is used at
two remote stations too quickly.

It all depends if the serial number can be modified. According to this
document:

http://www.nxp.com/acrobat/other/ide..._MF1ICS50_rev5...

its write protected after manufacture. Though given NXPs recent
bluffing I'd take that with a pinch off salt.

Assuming they can change the serial number and the gates don't store a
complete list of valid cards its simply a matter of changing the
number as soon as the card is blocked.

It depends on whether all the card transmits to the gate is the serial
number or whether it includes some extra information - e.g. last gate
to have gone through and whether that can be checked by the central
system. I've not looked into how oyster works at all - I don't know
whether the gates rely on a real time connection to the central system
or not.


I don't know if weekly travelcards need photo ID as well. If not then

I don't think they've needed a photo card for a long time.

The other attack is to clone someones card as then exit the tube -
shouldn't be too hard to scan their card if, like me, they just stick
it in their trouser pocket and the area is crowded enough. If it's

No , thats probably not possible. This isn't a powered wireless system
such as bluetooth waiting to be contacted. Its powered by the RF it
gets through its antenna and for that to be strong enough its got to
be very close to the transmitter coil or you need a socking powerful
transmitter which isn't going to fit in the palm of someones hand and
would probably give the user RF burns even if it did. Even if you
could power up an Oyster from a few feet away odds are you might not
be able to read the reply anyway if it gives off a really low power
signal.

B2003

I wasn't considering reading it from more than an inch away. That's
why I said a crowded station. If you need to read a card then you just
stand near to the exit gates and watch until you see someone pass
though and then stick the card in an easily accessible point. You then
"accidentally" bump them. Now you've got whatever information the gate
was expecting to see on the next trip.

It really doesn't matter if the serial number is written to the card
in such a way it cannot be modified. It really isn't difficult to
built electronics that will read and replay the signals, the difficult
part is knowing what data needs to be sent backwards and forwards,
especially if there's encryption and a nonce involved so you can't
just record something and then replay it later.

Tim.

On 22 Jul, 13:39, " wrote:
It depends on whether all the card transmits to the gate is the serial
number or whether it includes some extra information - e.g. last gate
to have gone through and whether that can be checked by the central
system. I've not looked into how oyster works at all - I don't know
whether the gates rely on a real time connection to the central system
or not.

The card has its own memory and enough information onboard that it can
be authorised/charged/whatever without checking any central databases.
Ticket barriers are online (i.e. have a live network connection) but
it would be impractical for them to check a central database during
every touch. Bus ticket machines are offline and rely on nightly
downloads at the depot. Not sure about standalone validators and other
edge cases.

I wasn't considering reading it from more than an inch away. That's
why I said a crowded station. If you need to read a card then you just
stand near to the exit gates and watch until you see someone pass
though and then stick the card in an easily accessible point. You then
"accidentally" bump them. Now you've got whatever information the gate
was expecting to see on the next trip.

I think it's been demonstrated that passive cards (like Oyster) can be
read from at least a few feet away with the right equipment.

U

--
http://londonconnections.blogspot.com/
A blog about transport projects in London

On Jul 22, 1:53 pm, Mr Thant
wrote:
On 22 Jul, 13:39, " wrote:

It depends on whether all the card transmits to the gate is the serial
number or whether it includes some extra information - e.g. last gate
to have gone through and whether that can be checked by the central
system. I've not looked into how oyster works at all - I don't know
whether the gates rely on a real time connection to the central system
or not.

The card has its own memory and enough information onboard that it can
be authorised/charged/whatever without checking any central databases.
Ticket barriers are online (i.e. have a live network connection) but
it would be impractical for them to check a central database during
every touch. Bus ticket machines are offline and rely on nightly
downloads at the depot. Not sure about standalone validators and other
edge cases.

Hmmm. ISTM that, at the very least, the card must be transmitting the
cost of bus journeys and the cost of tube journeys and what zones have
been used.

Assume a card has been used off peak in only zones 1 and 2 and the
current daily charge is 4.50 with 0 balance left on the card. When you
get on a bus, the card should let you on if you've already reached the
3.00 bus cap. But it should not let you on if that 4.50 is all tube
journeys because you need another 30p to get up to the 1-2 cap.


The more I think about this the more likely I think it is that there
will be viable exploits. If the serial number on the card can be
reprogrammed then I expect home kits and programs to abuse the system
will not take long to appear in the underworld. If the serial number
cannot be reprogrammed then I think that's less likely.


What would be really neat, (but almost certainly not possible using a
standard oyster card) would be to have "magic" cards that change their
number.

For example, a Sunday trip from Watford Junction to London with enough
zone 1 travel to pass the z1-2 cap is cheaper with two cards. - 3.00
each way from WJ-Euston plus 4-80 z1-2 cap. (Z1-8+WatfordJ cap is
12.60) In theory it's maybe possible for the card to tell where it's
being touched in or out before it reveals its serial number (at the
very least it could possibly start a corrupted transmission first
time). So rather than having to have two cards and remember which one
to use when, the card could handle all that logic for you.

(You can do even better if you touch out/in at willesden junction -
total journey cost 6.80 - but that requires you to take the slow
train. I can't see how any hack is going to be able to generate a
valid touch out. I can that a faked touch in might be possible.)

Tim.

On Tue, 22 Jul 2008 07:05:53 -0700 (PDT), wrote:

What would be really neat, (but almost certainly not possible using a
standard oyster card) would be to have "magic" cards that change their
number.

For example, a Sunday trip from Watford Junction to London with enough
zone 1 travel to pass the z1-2 cap is cheaper with two cards. - 3.00
each way from WJ-Euston plus 4-80 z1-2 cap. (Z1-8+WatfordJ cap is
12.60) In theory it's maybe possible for the card to tell where it's
being touched in or out before it reveals its serial number (at the
very least it could possibly start a corrupted transmission first
time). So rather than having to have two cards and remember which one
to use when, the card could handle all that logic for you.

(You can do even better if you touch out/in at willesden junction -
total journey cost 6.80 - but that requires you to take the slow
train. I can't see how any hack is going to be able to generate a
valid touch out. I can that a faked touch in might be possible.)

What on earth would be the point in such an elaborate scheme? If
you've hacked the card then you can just add £100 (or whatever) of
PAYG credit, for free, whenever you feel like it.

Your card would probably be blacklisted during the nightly
synchronisation of the readers with the central database, but it does
give you an unlimited day's travel each day for £3 (or, if you can
change the card's serial number, not even that).