Thread: Security of Oyster Cards
View Single Post
  #15   Report Post  
Old November 18th 03, 08:40 PM posted to uk.transport.london,alt.2600,sci.crypt
Gareth Davis Gareth Davis is offline
external usenet poster
  
First recorded activity at LondonBanter: Nov 2003
Posts: 15
Default Security of Oyster Cards
Mok-Kong Shen wrote in message ...
John Hadstate wrote:

(Matthew) wrote in message
Access to the information is only possible using secret keys
specific to that card, known only to devices permitted to process the
cards. These cards are very difficult to break into, making the cards
very secure; in the unlikely event that a card has its key broken
then the system - and all other cards - will remain secure.


If memory serves the system is based on the Philips MiFare system
which you can read all about (including the 3 pass authentication
procedure) at:
http://www.semiconductors.philips.co...sheets/#mifare

The key length in use is 48 bits per sector of the card, given the
fastest that the select and authentication phase can be completed in
is 5ms then it would take over 44.5 thousand years to try all the
combinations. And this would only grant you access to a single part of
the card. I would expect several sectors to be used in practise,
perhaps split up between ticket types and stored payment uses.

Direct attack on the cards is clearly out of the question, since all
the cards should (I say should, given the vulnerability that used to
be present in the old magnetic ticketing system I would not put it
past Cubic to screw it up again) have different keys programmed onto
them, then attacking multiple cards at the same time is a pointless
exercise - unless you were lucky to get a card with a key near the
beginning of your test range.

We already know that the system 'trusts' the content of the card and
there is no live database link available to all of the readers,
otherwise we would not have to 'collect' tickets purchased online from
a designated gateline. Giving everything a live link would be
prohibitively expensive (mobile and handheld units are in use on
moving vehicles that may be underground) and would only ever be
required if the keys were broken. However if the keys are broken and
cards rewritten then I do not see how the system can detect it. Other
then perhaps some kind of off line database crawling process looking
for anomalies.


All of the above adds up to a classic case of "security by obscurity."
This might mean that the inventors have already identified or suspect
weaknesses in their system that they hope will remain undiscovered if
no one is permitted to analyze their system too closely.

I believe the card interface system is fairly secure on paper, the
question is how secure is the rest of the infrastructure around it? I
would expect the keys to leak out of the staff that designed the
system before they are cracked, or the website backend to be hacked to
start issuing recharge requests without payment. Even if the keys were
broken they can be rewritten on the cards making the whole system
secure again, although the amount of time it would take to rewrite all
the cards may be vast, certainly not an overnight fix - but could be
done quietly without anyone having to own up to the problem. Also once
a suspect card gets a cancel request raised it then I would expect all
mobile terminals to know about it within hours (as soon as they are
docked next). Overall I believe the system does have good potential to
recover from a compromise BUT it has to be noticed first.


On the other hand, if the cost/risk of analysis is
sufficiently high, there would be 'practical' security,
I suppose. (Actually, banknotes are similar in this
respect, I believe. There are saying, though, that
the techniques/knowhow of the fraudsters are now quite
comparable to those of the governments in making
banknotes.)

M. K. Shen

The rewards in cracking this system are also very high though, given
the retail cost of travel passes. I personally spend about 800UKP on
travel in London each year, and I live and work about 4 miles from the
centre. People made money selling tickets that exploited a problem in
the magnetic ticketing system because of this cost but these tickets
were obviously not valid for travel to the naked eye.

However the real fraud with the smart cards is already happening and
is far less technical. Most of the railway companies operating out of
London have not equipped their ticket barriers to accept the
smartcards or issued their staff with scanners (or maybe they just
can't be bothered to carry them). The result is the staff have to
assume you have a valid ticket loaded onto your smart card if you are
carrying one because they have no way of checking otherwise. For those
of you who have never seen one, they all look identical and you
usually do not get a printed paper receipt to go with it if you book
online.

Pretending you have a valid pass on a line where you know it will not
get scanned is the real weakness at the moment, and it is this that
makes the whole system a bit of a joke.

I'm sure the tens of millions could have been better spent elsewhere
on the network with a much larger benefit for the passengers.

--
Gareth Davis

Reply With QuoteReply With Quote