back to article Dutch boffins clone Oyster card

Researchers of Radboud University in Nijmegen in the Netherlands managed to crack and clone London's Oyster travel card. They were able to take free rides on the Underground and even perpetrated a DDoS attack on a Tube gate. Researchers Wouter Teepe and Bart Jacobs used a regular laptop to put credit back on their Oyster card …

COMMENTS

This topic is closed for new posts.
  1. Jolyon Ralph
    Alert

    Um...

    I started to wonder why is the credit on the card and not stored in a central database (hint: network connectivity in buses?) - but there must be a way of centrally auditing all money in and out of the card with a central database to detect these things once it's used in a tube station or similar with a permanent connection to the master DB.

    Reminds me of the old 80s BT Phonecards that could be "recharged" with a bit of nail polish in the right place!

    Jolyon

  2. Patrick O'Reilly

    DDoS

    More on the DDoS attack please. did there cause a fracture in the space time continium?

  3. Kenny Millar
    Dead Vulture

    DDoS

    Are you not going to tell us about the DDoS attack, or do we have to wait for the next installment?

  4. Mark Broadhurst
    Coat

    24 Hours

    If thats in tube minutes then about 3 months.

  5. pctechxp

    Oops

    Time to rethink Paywave, Visa? and Paypass, Mastercard?

  6. Pete
    Alert

    I wonder

    Are TfL going to ignore the researchers, ask them how they did it before the papers are published, or attempt to sue them for breaking into their systems and DDoSing one of their gates? How do you DDoS a gate anyway - hold up twenty cards at once to the reader? Or via its wiring, which is more mundane?

    Wonder if the gates at Cambridge station run on the same system, they look like they do. They'll be the first ones being down then.

  7. Anonymous Coward
    Happy

    DDOS

    Place a very large person in the way. That's a DoS attack

  8. Temp

    The obvious solution

    DDOS?

    So they clone everyone's cards and the system locks everyone out?

  9. Omer Ozen
    Paris Hilton

    Right ...

    So London Underground is thinking the crims will be too stupid to alter their card at the end of the day to get yet another 24h free ride or am I missing something that they do not tell us about - like the serial no on the card itself cannot be altered etc?

    I wish Paris would give me a free ride for 24h.

  10. Anonymous Coward
    Anonymous Coward

    DDoS attack

    "perpetrated a DDoS attack on a Tube gate"

    Did anyone notice...?!? Oh look another non working entry/exit gate.....

  11. peter Silver badge

    @I wonder

    My naive, uninformed guess is that they presented a card with malformed data which caused the gate software to hang or crash, so it couldn't read any more cards.

    But I agree it would be nice to know for certain.

  12. Ash

    DDoS?

    How do you perform a DISTRIBUTED Denial of Service attack on one terminal, with one cloned card?

    Surely that's just DoS?

    </pedant>

  13. Anonymous Coward
    Boffin

    DDoS..

    The author probably just means DoS, unless the perpetrators were spread out around the underground network and used very long arms to swipe cards past the gate...

  14. Nigel
    Alert

    Can't do on-line DBMS

    The cost of an on-line DBMS that could process a transaction for every passenger starting a journey during rush-hour would be horrendous. Further, it would need to process all the trasactions within a second or so of real-time to keep the passengers flowing through the gates.

    So. much smarter for every barrier to process the transaction locally and send a record of it to a central computer for auditing later. This process will pick out any card that's been topped up by means other than buying credit, and get the card onto the list of "hot" blocked cards, which is then distributed to the gates for local rejection of the bad cards.

    So I believe them when they say that the worst that can happen is a day's fare-dodging. The bigger danger is if someone can completely clone a card by remote wireless access to your pocket (as opposed to hacking extra credit into a unique legitimate card), then they could repeat the exercise daily, and legitimate cards will frequently get blocked. We'll end up having to invest in tinfoil-lined wallets, and extract our cards at the gates like we used to do with paper ones. Sigh.

  15. David Pollard

    @Jolyon Ralph

    Q. "I started to wonder why is the credit on the card and not stored in a central database"

    A. Because the government gets its paws on people's credit quickly enough already; and it's the duty of every citizen (subject in the UK) to play their part toi curbing the irresponsibility of our leaders (as our public servants are now known).

    Well done, Radboud. Keep up the good work.

  16. Tony Hoyle

    DDoS or DoS?

    That wouldn't be a DDoS though that's be a DoS attack.

    DDoS implies it was some kind of distributed attack - maybe using the same card in multiple gates at the same time crashes the system or something?

  17. pctechxp

    @Jalyon

    Think Vodafone had a similar issue with the early PAYT SIM cards, I've been told you could get hacked ones back then whose credit would never decrease because the value was written to the card itself rather than it simply giving the network an indication of which account to deduct credit from.

    Travel in London is bloody expensive, maybe if TfL lowered the charges it might dissuade people from trying to hack?

  18. Rob Crawford
    Paris Hilton

    @ Pete

    > Are TfL going to ignore the researchers, ask them how they did it before the papers are published, or attempt to sue them for breaking into their systems and DDoSing one of their gates?

    Yes, NO and probably (in that order.)

    @ Jolyon Ralph

    Long time no see Comrade

    Paris, cos even she makes more sense than TfL

  19. Paul
    Boffin

    RE: Jolyon Ralph

    That's exactly how it is done.

    The credit value is stored both on the card and on a central database because it's not possible for real time authentication via the central server for all transactions. So instead the transactions are logged, and the readers take the cards balance at face value, and the money is taken off the card. Then there is a nightly audit ran through where the transactions are processed on the central server, taking the balance off there and comparing the cards stated balance with what the actual balance should have been.

    This is why they state that the most you can gain from this is one days travel, the nightly audits will flag up any discrepancies in the value the card states and the value in the central database, and will therefore flag the card as being cloned.

  20. /\/\j17

    DDoS

    Unless the Reg./researchers boys are being liberal with thier Ds then we are talking about a Distributed attack - so one assumes (say) 5 people with 5 identical cards walking through 5 adjasent barriers and swiping at the same time = system has a fit.

  21. Rob Holmes
    Happy

    DDoS on a gate

    Anonymous Coward Wrote:

    Place a very large person in the way. That's a DoS attack

    --------------------------

    DDoS attack therefore is to place several very large people in the way, possibly wedging them in to the gate itself :D

    Not very technical I admit, but effective non-the-less.

  22. Anonymous Coward
    Flame

    DDoS?

    I can easily see how to perform a DoS attack on a gate, but a DDoS? How distributed can an attack be on a particular gate, or did it involve having someone each side with a 'faulty' card near enough to the reader that it can't read the real one?

    Or is it just a spolling mistook and it should be just a plain old DoS attack?

  23. JonDoe
    Coat

    @AC "DoS"

    "Place a very large person in the way. That's a DoS attack"

    Which presumably means using 4 small people instead is a DDoS attack...

  24. Anonymous Coward
    Boffin

    DDoS...

    Where are the pedants today? It's hardly a 'Distributed' attack, just a DoS please.

  25. steogede

    @ Joylen

    >> I started to wonder why is the credit on the card and not stored in a central database

    >> (hint: network connectivity in buses?) - but there must be a way of centrally auditing all

    >> money in and out of the card with a central database to detect these things once it's

    >> used in a tube station or similar with a permanent connection to the master DB.

    I would suspect that is the case exactly. If some or all of the machines are offline, they can only check for fraud once they have all the data back for any given period. Hence the reason for the 24 hour delay I suppose.

    >> So London Underground is thinking the crims will be too stupid to alter their card at

    >> the end of the day to get yet another 24h free ride or am I missing something that

    >> they do not tell us about - like the serial no on the card itself cannot be altered etc?

    The article talked about adding credit to the card, it didn't mention the ability to modify the card's ID. So you might be able to get 24-hours free travel, but it will cost you £8 (£5 minimum credit, £3 deposit) - admittedly you get £5 credit, plus a free day's travel.

  26. michael W
    Flame

    24 hour

    i dont see how the 24 hour lockup will stop anything.

    I was able to order about 8 free cards under false names a while ago, that would give me a weeks worth of free travel.

    just need to rinse and repeat

  27. /\/\j17
    Pirate

    @JonDoe

    "Place a very large person in the way. That's a DoS attack"

    Which presumably means using 4 small people instead is a DDoS attack...

    No - your failing to comprehend just HOW large a person we are talking about.

    For a DDoS you just need one REALLY fat person who is actually wide enough to block 3 turnstyles!

  28. Anonymous Coward
    Anonymous Coward

    @pctechxp

    It was actually on O2 PayG - specifically the original Philips phones.

    I saw a working prototype of one such modified phone where the credit was shown to me as 10 pounds and then a call was made, the credit had gone down as it should have. The phone was then switched off, then back on. A further credit check showed 10 pounds of credit back on the phone.

    I can't see why they didn't do some simple nightly checks on amounts topped up / amounts used per PAYG SIM to block these dodgy phones but they apparently never did. The person who demo'd the phone to me had used one for months without being caught.

    Oh, and how big are the "reject" databases that each Oyster reader must have locally? Surely they will fill up over time?

  29. alex dekker

    re: Can't do on-line DBMS

    "We'll end up having to invest in tinfoil-lined wallets, and extract our cards at the gates like we used to do with paper ones. Sigh."

    Funnily enough, that's exactly what one R.M. Stallman suggested - google for "stallman oyster foil". And they say RMS is crazy!

  30. Anonymous Coward
    Pirate

    @ pctechxp

    Think Vodafone had a similar issue with the early PAYT SIM cards, I've been told you could get hacked ones back then whose credit would never decrease because the value was written to the card itself rather than it simply giving the network an indication of which account to deduct credit from.

    Close but it was Cellnet, specifically the Philips C12 that stored the credit in the handset and I'm convinced (or my memory is..) it was a pic chip inside the phone that re-set the credit when it was rebooted. I assume BT could track them, ie a phone thats made lots of calls but never had credit applied, and killed the sim card in them.

  31. Rob Crawford

    Regarding authentication

    It's also unlikely that cards are immediately authenticated against the database on bus journeys. also I assume that the inspectors also accept the cards contents at face value.

    I vaguely remember TfL claiming that they wanted to allow the Oyster card to be useable for small transactions in newsagents and the like, which would make such an attack more interesting. As I doubt that every contactless transaction would be authenticated at purchase time in smaller shops.

    Where the attack interests me is cloning other peoples cards, and it's the geneuine owner whos card gets disabled the next day. How many cards could a small team disable in one day ?

    Before anybody says that you can't write a new serial number to one of these cards, remember it dosn't have to be a genuine chip in a card, just something that behaves like an original and has the visual appearence of a real card.

    I'm sure there are plenty of far east manufacturers who will produce a card that looks like a Oyster card but with custom internals.

  32. Nile Heffernan

    What's it worth?

    Oyster is an example of cash-on-a-card. In theory, you could make it a debit card, contacting a central database - your bank account - for every single transaction. In practice this is simply too slow for a system designed for millions of frequent small payments, especially if those payments have to be made very quickly - which, for a mass transit system, is vital.

    The process that you're missing is the overnight reconciliation, which matches up the daily payments on the card to the purchases and top-ups. Faking a top-up involves subverting the central server; a much tougher proposition than fiddling with a card. This places an upper bound on the amount that can be stolen, as there is a time limit on the card's usability.

    Ticket collectors (we still use the term!) have Oyster card readers that check the card's self-contained cash balance and/or validity for particular services. They don't validate the card against the overnight run - not at present - but I am certain that this will now change. So a fiddled card will soon be at risk from spot checks, too.

    The next point to note is that we're talking small sums of money; it isn't - or shouldn't - be worth man-days of a software engineer's time to get a day's free travel. However, Londoners spend several thousand pounds a year on transport, and there are a lot of very bright teenagers out there who would do it for free.

    Elsewhere, other cities are looking at Oyster cards issued by their Mass Transit Authority for small purchases - the typical commuter's newspaper and coffee from the kiosk on the station. I think this latest security lapse may be a setback.

    The question is now a matter of cost vs risk and benefit: if the hack goes mass-market, will it be worth doing on a large scale? And is the system flexible enough for *regularl* revisions and upgrades to the security schema?

    Finally, I have to point out that it isn't just the money or teenage wannabe-hacker kudos. Oyster is a significant surveillance resource, and the ability to temporariy clone someone else's ID is an effective way of deflecting unwelcome attention from your movements. If it becomes impossible to purchase a one-day oystercard without being photographed, even the most law-abiding citizen might, from time to time, look upon the ability to travel anonymously as being worth far more than the price of the train fare and a coffee.

  33. paul fox
    Thumb Down

    Vapourware hack - but done already

    Yawn. We demonstrated this at BlackHat last year... There are so many cameras and other deterrents on the tube, that I don't know who will use this type of fraud. Terrorists will buy proper tickets, Kids get free travel. Maybe organised crime can do a massive DDOS, but how will that work?

  34. Bill Code

    A film was made a few month's back on the Mifare hack...

    http://video.google.com/videoplay?docid=1286650238246340141&q=how+to+clone+an+oyster+card&ei=JAxgSPXkD5H-jQKZ6v1C

  35. Anonymous Coward
    Linux

    contactless payment

    it all starts to to add up over the course of a day.

    First you get free london transport - gotto be worth 8-12gbp equivelant to travel vcard depending on travel zones and on/off peak.

    In central london near stations and (ironically cash rich areas) such as fleet street, coffee bars etc are accepting paywave (oyster could follow? - heaven forbid there was an interoperable standard)

    //loop//

    A small cup of Coffee in london is even more exspensive than than a litre of fuel! So another few quid there....

    add, a sandwhich again another few quid

    add a couple of papers or magazines....

    reapeat this for breakfast, lunch and maybe on the way home

    //End loop//

    You could soon run up a bill in central london in the ball park of 20-30GBP

  36. Paul Banacks

    DoS and 24 hour limit...

    DoS of a radio system presumably is quite easy... just get a sufficiently powerful transmitter on the right frequency and block out the airwaves.

    DDoS is subtle though and comes from the 24 hour claim. If you managed to clone and use 100 cards in one day by skimming the details from peoples pockets, not only would you get free travel but when the LUL scan for discrepancies happens it would presumably lock out all 100 of those cards!

  37. CastorAcer
    Pirate

    DDoS

    I wonder whether the DDoS attack is something along the lines of the terminals only having a limited memory for blacklisted cards or performance degrading with longer blacklists?

    A large number of bad cards could do very bad things to the system.

  38. Anonymous Coward
    Paris Hilton

    BT Cellnet hack.

    Ahhh - those were the days. Storing the credit on an eeprom in the handset was a mighty sill idea. The 'phones were specifically the Philips C12 and Diga, and the PIC chip program simply copied the credit balance (and the eeprom checksum) into unused locations on the eeprom when the handset was powered up, then restored the copies (and erased them) back to their original locations just before powering down.

    BT eventually invested in the infrastructure to track misuse of these 'phones and remove both IMSI (handset) and IMEI (SIM) from their network, but it was just a classic example of expediency before common sense....

    Kind of like every half-baked IT project in this country!

    Paris, because I bet she thought it was a good idea at the time.....

  39. Rob Crawford

    @paul fox

    But remember in this world everything is ignored unless it is demonstrated either by an academic or a TV reporter

This topic is closed for new posts.

Other stories you might like