Arphid Watch: Hackers Crack London Tube's Ticketing System | Autopia from Wired.com

(((These are Chaos Computer Club guys and Dutch guys ganging up on the hapless British, but the British are starting to look like the computer-security newbie putzes of the universe. Just wait till it dawns on the increasingly paranoid British public that (a) Oysters are, in reality, spychip leeches that cling to you and can be used to track you anywhere and (b) now any ID thief can clone you just be standing next to you with some kiddie-script and a scanner.)))

http://blog.wired.com/cars/2008/06/hackers-crack-l.html

Link: Hackers Crack London Tube's Ticketing System | Autopia from Wired.com.

Dutch security researchers rode the London Underground free for a day after easily using an ordinary laptop to clone the "smartcards" commuters use to pay fares, a hack that highlights a serious security flaw because similar cards provide access to thousands of government offices, hospitals and schools.

There are more than 17 million of the transit cards, called Oyster Cards, in circulation. Transport for London says the breach poses no threat to passengers and "the most anyone could gain from a rogue card is one day's travel." But this is about more than stealing a free fare or even cribbing any personal information that might be on the cards.

Oyster Cards feature the same Mifare chip used in security cards that provide access to thousands of secure locations. Security experts say the breach poses a threat to public safety and the cards should be replaced.

"The cryptography is simply not fit for purpose," security consultant Adam Laurie told the Telegraph. "It's very vulnerable and we can expect the bad guys to hack into it soon if they haven't already."

The Dutch government has taken the breach seriously and says it is upgrading the smartcard system that secures its buildings. "It's a national security issue," a spokesman for the Dutch Interior Ministry told reporters. "We're in the process of replacing the cards of all 120,000 civil servants at central government level." (((Oh man, and then it starts getting worse.)))

http://www.pcworld.com/article/id,143371-c,privacysecurity/article.html

(((SANS:)))

–Dutch Researchers Break Mifare RFID Technology

(June 21 & 23, 2008)

Researchers at a Dutch university have broken the security of the Mifare
RFID chip, which is used in the Oyster card, a prepaid smartcard used for travel on UK public transportation. Mifare RFID technology is also used in the UK to access government departments, hospitals and schools.
The research was presented to the Dutch Parliament, which earlier this year postponed implementation of a prepaid transportation smartcard based on the same technology. The Dutch government is also replacing
Mifare cards used to access government buildings.

http://www.zdnet.co.uk/misc/print/0,1000000169,39437719-39001093c,00.htm http://www.vnunet.com/vnunet/news/2219828/london-oyster-cracked http://www.telegraph.co.uk/news/newstopics/politics/2168791/Oyster-card-fears-over-Mifare-security.html http://www.theregister.co.uk/2008/06/23/dutch_clone_oyster_card/print.html

[Editor's Note (Schultz): Over the past few years we've seen repeated claims concerning security weaknesses in the RFID chip. It was only a matter of time before there was a proof of concept of how these weaknesses can be exploited in real life settings.]

(((This wouldn't be such a big deal IF there wasn't so much spyware mission creep in RFID chips. Imagining obscurity is security, authority figures have trusted these things and built all kinds of semilegitimate or outright spookware apps on top of them. So while the British are blathering that there's no big whoop, the Dutch are coming out of their skins...
who do you think is being franker about the scope of the trouble here?)))

(((Includes a &^%$$ DOS attack, which would potentially jam
London commuters into large slaughterable packs of victims as they found themselves unable to enter the underground. Oh the joy.)))

http://www.techradar.com/news/world-of-tech/oyster-card-cloned-398826

"More worryingly, the team also instigated a DDoS (denial of service) attack on a tube gate, putting it out of service.

"The 'research' was undertaken by researchers Wouter Teepe and Bart Jacobs. According to the pair, all they used was a regular laptop, where they managed to top-up their cards with credit, without actually paying any money...."