X

London transit cards cracked and cloned

Researchers clone public transit cards in London to demonstrate vulnerabilities in the Mifare Classic smartcard used for transit and work access systems worldwide.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
See full bio
Robert Vamosi
2 min read

Last week a Dutch researcher rode free on the London transit system, having hacked the public transit system's card system; he used a clone of a paying passenger's transit cards. His point? The transit smartcards, which are used my millions worldwide, are vulnerable to attack.

Dr. Bart Jacobs of Radboud University in Holland used an ordinary laptop to show how to clone the Mifare Classic smartcard used in London's Oyster transit card. The Mifare Classic smartcard is used for worker access cards as well.

Once he obtained the key used by the London transit system, Dr. Jacobs then brushed up aside passengers carrying Oyster cards. Wirelessly, Jacobs collected the person's card information on his laptop and later he was able to use that data to clone a fresh transit card and gain free access to the London transit system.

You can watch a video of a similar attack conducted on work access cards.

"You only have to walk down the street to see contactless access control systems everywhere," Adam Laurie, a wireless security researcher, told the London Times. "It used to be a magnetic strip, now it's a card held up to a reader on the wall. A large percentage of these will have Mifare technology and are very vulnerable to attack. They should all be replaced."

The Dutch government is already taking that advice. A ministry official told the Times that the government is replacing the cards of all 120,000 civil servants at central government level. A spokesperson for the London transit system downplayed the importance of Dr. Jacobs' experiment and told the Times, "This was not a hack of the Oyster system. It was a single instance of a card being manipulated."

The Mifare Classic is produced by NXP Semiconductors, a company based in the Netherlands. The encryption used in the cards has been shown to be broken. Newer Mifare cards, however, are more secure, but the Classic version remains popular, with over 500 million cards in use worldwide.

In the United States, Boston's Charlie transit card is based on the Mifare Classic technology. Mifare Classic is also used for transit systems or worker access in Hong Kong, Beijing, Madrid, Bangkok, and New Delhi.