While ‘touching in’ and ‘touching out’ with an Oyster card has undoubtedly made getting around London’s public transport system a whole lot easier there are fears the security of the RFID chips used in the cards could be compromised.
Back in January, University of Virginia graduate student Karston Nohl revealed that his research team had cracked the algorithms that protect data held on RFID-equipped ‘smart cards’ like the Oyster card.
“We reverse-engineered the cryptographic components of the MIFARE Classic RFID tags. This type of card is used in various micro-payment applications including the Oyster card,” Nohl said in a press release at the time.
In response, NXP Semiconductors (NXP), the company that manufactures the MIFARE Classic said it would look into the issue. Last week NXP announced the introduction of the MIFARE Plus.
According to NXP the MIFARE Plus improves considerably on the security of the Classic one by employing a 148-bit key length compared to the Classic’s 48-bits. This is in addition to number of “additional safety features,” so the company claims.
17 million compromised cards?
Unfortunately though, MIFARE Plus cards are not due for release for another year yet, meaning the current generation of Oyster cards, as carried by 17 million passengers across London, employ the now compromised MIFARE Classic chip.
When TechRadar contacted Transport for London (TfL) for comment a spokesperson simply told us: "The security of the Oyster system has never been breached. We run daily tests for clone cards or rogue devices and none have been discovered.”
When pressed on whether TfL has any plans to switch to the more secure MIFARE Plus chip next year their spokesperson referred us to TranSYS who work in partnership with TfL to supply and run the Oyster card system.
Old technology?
TechRadar spoke with Richard Rowlands, director of engineering at TranSYS, who told us that the current Oyster card was chosen long before researchers like Karsten Nohl had begun to reveal potential vulnerabilities with the technology.
“It was picked eight or nine years ago. That was the card that was around then. However, we are engaged in evaluating other cards, including the MIFARE Plus,” Rowlands explained.
As regards the security of current Oyster cards, TranSYS remain as adamant as TfL that their cards are safe: “There are two levels of security: system level security and card level security” Rowlands explained. “No personal information is stored on the cards anyway,” he added.
Here at TechRadar we’re not entirely convinced by the official reassuring by of TranSYS and TfL though. In a sector where consumer confidence regarding security is of critical importance, we’d expect to hear nothing less.
Fort Knox
The cold hard truth is that however hard the operators tout their hitherto flawless security record, the research of Karston Nohl and his colleagues demonstrates that RFID technology is not entirely impenetrable. Nor is it ever likely to be.
That said, there's certainly no need for wholesale panic just yet either. Unless you happen to be a private investigator working on an infidelity assignment there’s very little, if anything, to be gained by mining the personal travel data of individual Oyster users.
Are smartcards smart enough?
No, the real security threat arises when multiple services are combined on a single RFID-equipped smartcard in the name of ‘convenience’. When smartcards carry a users banking details as well as their travel pass they instantly become a much more lucrative target.
Last year TfL in connection with Barclaycard launched the Barclaycard OnePulse. This 3-in-1 smart card triples up as a transport pass, a low-level ‘one touch’ payment card, and a standard chip and PIN debit card.
While there have not yet been any reports of the OnePulse card being compromised, it’s exactly the type of RFID-equipped smartcard that the tech-savvy criminal underworld would be interested in.
It seems RFID technology is set to become just one more tech battleground where manufacturers are under immense pressure to stay one foot ahead of the hackers.
