Oyster hacked by open-source tool

A new open-source tool called Crapto1 could allow hackers free travel on the London Underground, by decrypting communication data between RFID chips and readers.

The Oyster card system is based around the Mifare chip which uses an encryption algorithm called Crypto1. An attack against this algorithm was recently detailed in an academic paper from the University of Radboud in Holland, and it is this attack which Crapto1 implements.

“I’m not aware of any other public implementations at this time, I decided to write my own. This code implements the cryptography needed, to decrypt captured communications between crypto1 based tags and readers. And even recover the shared secret,” says the project homepage on Google Code.

As well as powering the London Underground’s ticket system, MIFARE is also used in a similar way on the Dutch public transport system, and in numerous office secure-entry systems.

The project, created by a programmer going by the pseudonym blapost, is currently hosted on Google Code, where it can be freely downloaded. The software allows the access code of a Mifare chip to be decoded within two seconds on a standard PC, opening the door for manipulation of data stored on the card, such as the remaining balance on an Oyster card.

This would allow hackers to gain free access to systems such as that used on the London Underground, as the researchers from Radboud University did earlier this year.

“There is no evidence of the widespread cloning of Oyster cards, the system has not been hacked and there is no risk to card holders’ personal data as none is stored on the card,” exmplains a Transport for London (TfL) spokesperson. “Recent problems with the Oyster system are completely unrelated to this and have nothing to do with hacking.”

TfL has since terminated its contract with TranSys, the company that helped to develop the Oyster card system, although it denies that security is an issue, instead citing potential cost savings.