Thread: Oyster card hack
View Single Post
  #9   Report Post  
Old July 22nd 08, 02:05 PM posted to uk.transport.london
[email protected][_2_] google@woodall.me.uk[_2_] is offline
external usenet poster
  
First recorded activity at LondonBanter: Nov 2007
Posts: 69
Default Oyster card hack
On Jul 22, 1:53 pm, Mr Thant
wrote:
On 22 Jul, 13:39, " wrote:

It depends on whether all the card transmits to the gate is the serial
number or whether it includes some extra information - e.g. last gate
to have gone through and whether that can be checked by the central
system. I've not looked into how oyster works at all - I don't know
whether the gates rely on a real time connection to the central system
or not.

The card has its own memory and enough information onboard that it can
be authorised/charged/whatever without checking any central databases.
Ticket barriers are online (i.e. have a live network connection) but
it would be impractical for them to check a central database during
every touch. Bus ticket machines are offline and rely on nightly
downloads at the depot. Not sure about standalone validators and other
edge cases.

Hmmm. ISTM that, at the very least, the card must be transmitting the
cost of bus journeys and the cost of tube journeys and what zones have
been used.

Assume a card has been used off peak in only zones 1 and 2 and the
current daily charge is 4.50 with 0 balance left on the card. When you
get on a bus, the card should let you on if you've already reached the
3.00 bus cap. But it should not let you on if that 4.50 is all tube
journeys because you need another 30p to get up to the 1-2 cap.


The more I think about this the more likely I think it is that there
will be viable exploits. If the serial number on the card can be
reprogrammed then I expect home kits and programs to abuse the system
will not take long to appear in the underworld. If the serial number
cannot be reprogrammed then I think that's less likely.


What would be really neat, (but almost certainly not possible using a
standard oyster card) would be to have "magic" cards that change their
number.

For example, a Sunday trip from Watford Junction to London with enough
zone 1 travel to pass the z1-2 cap is cheaper with two cards. - 3.00
each way from WJ-Euston plus 4-80 z1-2 cap. (Z1-8+WatfordJ cap is
12.60) In theory it's maybe possible for the card to tell where it's
being touched in or out before it reveals its serial number (at the
very least it could possibly start a corrupted transmission first
time). So rather than having to have two cards and remember which one
to use when, the card could handle all that logic for you.

(You can do even better if you touch out/in at willesden junction -
total journey cost 6.80 - but that requires you to take the slow
train. I can't see how any hack is going to be able to generate a
valid touch out. I can that a faked touch in might be possible.)

Tim.
Reply With QuoteReply With Quote