Hackers from the Netherlands have published details online of how to hack the smart cards used by commuters in London.

In June, a team of scientists from Radboud University in Nijmegen revealed a weakness in the Mifare Classic RFID (radio-frequency identification) chip, which is embedded in Oyster cards and building-entry systems.

However, Professor Bart Jacobs, the lead researcher, was delayed from publishing the details of how his team compromised the chip until yesterday.

Chip manufacturer NXP initially secured a court injunction against its publication, but it was overturned.

Smart cards using the Mifare Classic chip use a unique number - the key or identity - which is encrypted. When the chip is placed near a reader it sends and receives information based on the key.

Professor Jacobs and his team discovered a flaw in the chip design that allowed them to calculate and copy key codes. However, he said this is "not a guidebook for attacks".

In June the team successfully trialled their experiment on the London Underground, which uses the Oyster card system to allow commuters to touch in and out.

Both NXP and the Dutch government were informed of the team's discovery, but the chip manufacturer took legal action to delay publication of their reports so their customers could update their security systems.

www.ru.nl/ds/research/rfid

Back to index