Thread: Oyster card hack
View Single Post
  #7   Report Post  
Old July 22nd 08, 12:39 PM posted to uk.transport.london
[email protected][_2_] google@woodall.me.uk[_2_] is offline
external usenet poster
  
First recorded activity at LondonBanter: Nov 2007
Posts: 69
Default Oyster card hack
On Jul 22, 10:56 am, wrote:
On Jul 22, 10:24 am, "
wrote:

We don't know what the technique is yet. But assuming TfL have cameras
watching all the gates and centralized instant access to every card
being used then it's not going to be too easy to exploit even if
cloning the card is a simple as running it through a photocopier.

Most CCTV images are rubbish and I doubt they'll have the police on
standby all to catch the person next time they try and use a gate. As
soon as the card is blocked they'll bin it and use another.

actually exchange the card. Cloning allows them to skip the need to
physically swap the card but can be detected if the card is used at
two remote stations too quickly.

It all depends if the serial number can be modified. According to this
document:

http://www.nxp.com/acrobat/other/ide..._MF1ICS50_rev5...

its write protected after manufacture. Though given NXPs recent
bluffing I'd take that with a pinch off salt.

Assuming they can change the serial number and the gates don't store a
complete list of valid cards its simply a matter of changing the
number as soon as the card is blocked.

It depends on whether all the card transmits to the gate is the serial
number or whether it includes some extra information - e.g. last gate
to have gone through and whether that can be checked by the central
system. I've not looked into how oyster works at all - I don't know
whether the gates rely on a real time connection to the central system
or not.


I don't know if weekly travelcards need photo ID as well. If not then

I don't think they've needed a photo card for a long time.

The other attack is to clone someones card as then exit the tube -
shouldn't be too hard to scan their card if, like me, they just stick
it in their trouser pocket and the area is crowded enough. If it's

No , thats probably not possible. This isn't a powered wireless system
such as bluetooth waiting to be contacted. Its powered by the RF it
gets through its antenna and for that to be strong enough its got to
be very close to the transmitter coil or you need a socking powerful
transmitter which isn't going to fit in the palm of someones hand and
would probably give the user RF burns even if it did. Even if you
could power up an Oyster from a few feet away odds are you might not
be able to read the reply anyway if it gives off a really low power
signal.

B2003

I wasn't considering reading it from more than an inch away. That's
why I said a crowded station. If you need to read a card then you just
stand near to the exit gates and watch until you see someone pass
though and then stick the card in an easily accessible point. You then
"accidentally" bump them. Now you've got whatever information the gate
was expecting to see on the next trip.

It really doesn't matter if the serial number is written to the card
in such a way it cannot be modified. It really isn't difficult to
built electronics that will read and replay the signals, the difficult
part is knowing what data needs to be sent backwards and forwards,
especially if there's encryption and a nonce involved so you can't
just record something and then replay it later.

Tim.
Reply With QuoteReply With Quote