Free Pizza

Download your 2 for 1 Pizza Express voucher

Navigation - link to other main sections from here

Skip Navigation

From The Times
June 21, 2008

Alert over security as researchers show Oyster card can be cracked with laptop

Alexi Mostrous

Millions of identity cards are carrying a serious security flaw that allows them to be cloned by anyone with a standard laptop,The Times has learnt.

The Mifare smartcard, which is used to gain access to thousands of schools, hospitals and government departments around Britain, as well as providing the technology behind 17 million Oyster cards for travel in London, was hacked into by scientists at a Dutch university.

Bart Jacobs, of Radboud University, used a commercial laptop to clone a swipe access card to a public building in the Netherlands. His team then travelled to London, where they used the same technique to ride on the Underground for a day without paying.

Security experts said that the breach posed a serious risk to security as swipe cards to sensitive areas could be cloned with ease.

Related Links

After learning of the breach in April, the Dutch Government posted armed guards outside all its buildings and it now plans to spend millions of euros upgrading its systems. It also postponed the introduction of a €1 billion transport payment system similar to the Oyster card until security issues were addressed.

“We take this extremely seriously,” a spokesman for the Dutch Interior Ministry said. “It’s a national security issue. We’re in the process of replacing the cards of all 120,000 civil servants at central government level at a cost of about €5 for each card.”

The Cabinet Office refused to confirm yesterday which government buildings used the system.

About ten million Mifare smartcards are sold in Britain each year, providing access to public buildings as well as cashless payment systems for transport systems and colleges. Six million were issued recently to pensioners for free travel on public transport.

“You only have to walk down the street to see contactless access control systems everywhere,” said Adam Laurie, a security researcher. “It used to be a magnetic strip, now it’s a card held up to a reader on the wall. A large percentage of these will have Mifare technology and are very vulnerable to attack. They should all be replaced.”

He added: “The cryptography is simply not fit for purpose. It’s very vulnerable and we can expect the bad guys to hack into it soon, if they haven’t already.”

To perform the London experiment, Dr Jacobs used a computer to reverse the Mifare algorithmic code, allowing him to put credit back on his Oyster card. The cards use a similar wireless technology to that found in biometric passports and the planned national identity card.

“When we found these vulnerabilities we gave a clear security warning to the Dutch Government, which was then passed on to the UK authorities in April”.

Buildings accessible by photo ID cards were particularly vulnerable to attack, Dr Jacobs said. “An employee can be cloned by bumping into that person with a portable card reader,” he said. “The person whose identity is being stolen may then be completely unaware that anything has happened.

“At the technical level there are currently no known countermeasures.”

The technology is owned by NXP Semiconductors, a company based in the Netherlands and founded by Philips. A spokesman for the company said: “We are aware that the Dutch researchers have reverse engineered the algorithm and we are taking this issue very seriously. We’ve informed all of our system integrators and advised them to closely assess their systems. We’re talking to the guys at Radboud University and have identified various counter measures.”

Transport for London denied yesterday that any security breach had taken place. “This was not a hack of the Oyster system,” a spokesman said. “It was a single instance of a card being manipulated.”

There are an estimated two billion Mifare Classic cards worldwide.

Bookmark and Share

Also in Tech & Web

Also in News

Twitter

Twitter logo

Follow Tech & Web

LADY GEEK

Real gadgets for real women!

Our columnist continues her campaign to kill off girly pink

Tech Central

Latest posts on the blog

DELL ADAMO XPS

Dell's super-thin new laptop reviewed

eureka magazine

The human brain

What's on your mind?

The Times unravels the secrets of the human brain

business gadgets

Toshiba TG01, exclusively on Orange in the UK

Smartphones, netbooks and more

All the latest gadgets for business rated and reviewed

TECHNOLOGY

ATD logo

Articles from our sister site:

Most Read

Skip Most Read

Today

MOST COMMENTED

Skip Editor's Pick

Today

MOST CURIOUS

Skip Most Curious

Today

Focus Zone

accenture

Need to Know:

Industry sectors news at a glance. Interactive heatmap, video and podcast

Winter Sports

Winter Sports:

Get ready for the winter sports season, with our resort guides and snow reports

lloyds

Mapping Business:

We are backing British business, what is the confidence of the nation and what businesses are succeeding?

More Reports

More reports:

Enjoy further reading from Travel to Fashion, Business to Sport, discover more

previous next
Times Mobile

Times Mobile

Get Times news, business and sport on your mobile. Text Times to 87700

Financial Brochures

Laptop computer showig a picture of a telephone on screen

Compare broadband deals

Save on broadband, TV & phone deals

A lawyer with gown and wig

Find a Lawyer

Cut your legal costs

crossword with Cross fountain pen.

Crossword Club

Sign up today or try one of our free demo crosswords

Generic photo of a job interview.

Free CV Review

Sell yourself! Have your CV reviewed by experts

Popular Searches on Times Online

2010 movies | books | crosswords | eureka | fashion | formula 1 | helping haiti | mortgages | movie trailers | obituaries | pensions | property | recipes | redundancy calculator | savings | sudoku | twitter | university guide | weather | wine

Shortcuts to help you find sections and articles

Classifieds 

Cars

Skip Cars of the Week

Porsche Carrera GT

2006/06
£POA
Surrey

Bentley Continental

2009
£114,950
Derbyshire

Car Insurance

The best policy at the
best price
Be Wiser Insurance

Bugatti Veyron Coupe


£POA
Surrey

Jobs

Skip Jobs of the Week
LEP GENERAL MANAGER

Highly competitive six figure
Nationwide
Swindon

Financial Controller

Competitive benefits package
Chartered Institute of Builders
Ascot

Business Analyst

Competitive salary + benefits
NHS Direct
London

Chief Operating Officer

£125K
Meltwater News
Nationwide Positions

Properties

Need a cash buyer for your home?

With Part Exchange Crest Nicholson could get you moving.

Bridges Wharf, Battersea

Award-winning riverside development, SW11.
Luxury apartments for sale from £350,000.

Mayfield Grange, Sussex

Find out more about our luxurious apartments and houses for sale in the heart of Sussex.

Edenarc 1800. Fab contemporary 4* ski in-ski out aparts

for sale in the French Alps
from E189,000.

Holidays

Skip Travel of the Week

Royal Caribbean Med Sale

We're offering extra savings on Voyager & Adventure of the seas Mediterranean Cruises fr £549.
Book by 28 Feb!

£899: 9 nights Las Vegas, Los Angeles and San Francisco holiday with helicopter flight included!

Includes 3* accommodation throughout, a 15 minute Apollo night helicopter flight down the Las Vegas strip and United Airlines flights from Heathrow.
Same break by air costs £189. Valid for weekend travel until 31 Aug 10.

Great Travel Insurance

Get covered on your travels with a superb range of policies at great prices
Visit InsureandGo.com

Luxury holiday villas in the south of France with pools – save over £500!

Family friendly villas with Quality Villas. Book with the specialists.


Place your advert now