|
Oyster card hack
"Details of how to copy the Oyster cards used on London's transport network
can be published, a Dutch judge has ruled. " See http://news.bbc.co.uk/1/hi/technology/7516869.stm MaxB |
Oyster card hack
"Batman55" gurgled happily, sounding much like
they were saying: "Details of how to copy the Oyster cards used on London's transport network can be published, a Dutch judge has ruled. " See http://news.bbc.co.uk/1/hi/technology/7516869.stm MaxB And quite right too. Security by obscurity is a laughable farce. |
Oyster card hack
Adrian wrote:
"Batman55" gurgled happily, sounding much like they were saying: "Details of how to copy the Oyster cards used on London's transport network can be published, a Dutch judge has ruled. " See http://news.bbc.co.uk/1/hi/technology/7516869.stm MaxB And quite right too. Security by obscurity is a laughable farce. Indeed. What NXP were trying to do smacks of claiming you can walk safely off Beachy Head after banning the teaching of the Theory of Gravity. Tom |
Oyster card hack
On Jul 21, 6:25 pm, Tom Barry wrote:
Adrian wrote: "Batman55" gurgled happily, sounding much like they were saying: "Details of how to copy the Oyster cards used on London's transport network can be published, a Dutch judge has ruled. " Seehttp://news.bbc.co.uk/1/hi/technology/7516869.stmMaxB And quite right too. Security by obscurity is a laughable farce. Indeed. What NXP were trying to do smacks of claiming you can walk safely off Beachy Head after banning the teaching of the Theory of Gravity. I notice LUL are still claiming Oyster security is perfectly ok. Do they live in a parallel universe or something? The sooner this whole Oyster card b0ll0cks is blown apart the better , then we can get back to normal tickets without any you-forgot-to-touch- out scams. B2003 |
Oyster card hack
On Jul 22, 9:40 am, wrote:
On Jul 21, 6:25 pm, Tom Barry wrote: Adrian wrote: "Batman55" gurgled happily, sounding much like they were saying: "Details of how to copy the Oyster cards used on London's transport network can be published, a Dutch judge has ruled. " Seehttp://news.bbc.co.uk/1/hi/technology/7516869.stmMaxB And quite right too. Security by obscurity is a laughable farce. Indeed. What NXP were trying to do smacks of claiming you can walk safely off Beachy Head after banning the teaching of the Theory of Gravity. I notice LUL are still claiming Oyster security is perfectly ok. Do they live in a parallel universe or something? The sooner this whole Oyster card b0ll0cks is blown apart the better , then we can get back to normal tickets without any you-forgot-to-touch- out scams. We don't know what the technique is yet. But assuming TfL have cameras watching all the gates and centralized instant access to every card being used then it's not going to be too easy to exploit even if cloning the card is a simple as running it through a photocopier. The easiest exploit is going to be when a few people get together to exploit the cap. Assuming that only one person uses the card at a time then AFAIAA technically they're not breaking the rules so long as they actually exchange the card. Cloning allows them to skip the need to physically swap the card but can be detected if the card is used at two remote stations too quickly. I don't know if weekly travelcards need photo ID as well. If not then that's potentially another exploit for people who travel between ungated stations. Because it's not necessary to touch in/touch out with a travelcard, the chance of both clones getting inspected close enough in time to detect a duplication is probably minimal. Of course, the obvious initial step to stop this will be to make it a requirement for travelcard holders to touch in and touch out - although I believe there are still some stations where this isn't possible there are going to be few journeys where it can't happen at either end. It's also possible that the central computer can detect a card being used that has a "missing" journey on it - I'm not sure how much information is recorded on the card - which would make using even a cloned, capped, PAYG stick out like a sore thumb. The other attack is to clone someones card as then exit the tube - shouldn't be too hard to scan their card if, like me, they just stick it in their trouser pocket and the area is crowded enough. If it's then trivial to clone that info onto another card then someone could make a free journey with no flags showing. It would be the innocent cardholder who would get flagged. But again, such an attack is going to show up on CCTV eventually and it's going to involve at the very least people wandering around with laptops to read and reprogram cards and I don't see it as being a significant revenue risk to TfL - although it could be a significant risk to users if they're one of the unlucky ones who's card gets cloned. Expect wallets with tinfoil so you have to open the wallet to let the card be read if this sort of attack looks like it might be happening. Tim. |
Oyster card hack
On Jul 22, 10:24 am, "
wrote: We don't know what the technique is yet. But assuming TfL have cameras watching all the gates and centralized instant access to every card being used then it's not going to be too easy to exploit even if cloning the card is a simple as running it through a photocopier. Most CCTV images are rubbish and I doubt they'll have the police on standby all to catch the person next time they try and use a gate. As soon as the card is blocked they'll bin it and use another. actually exchange the card. Cloning allows them to skip the need to physically swap the card but can be detected if the card is used at two remote stations too quickly. It all depends if the serial number can be modified. According to this document: http://www.nxp.com/acrobat/other/ide...S50_rev5_3.pdf its write protected after manufacture. Though given NXPs recent bluffing I'd take that with a pinch off salt. Assuming they can change the serial number and the gates don't store a complete list of valid cards its simply a matter of changing the number as soon as the card is blocked. I don't know if weekly travelcards need photo ID as well. If not then I don't think they've needed a photo card for a long time. The other attack is to clone someones card as then exit the tube - shouldn't be too hard to scan their card if, like me, they just stick it in their trouser pocket and the area is crowded enough. If it's No , thats probably not possible. This isn't a powered wireless system such as bluetooth waiting to be contacted. Its powered by the RF it gets through its antenna and for that to be strong enough its got to be very close to the transmitter coil or you need a socking powerful transmitter which isn't going to fit in the palm of someones hand and would probably give the user RF burns even if it did. Even if you could power up an Oyster from a few feet away odds are you might not be able to read the reply anyway if it gives off a really low power signal. B2003 |
Oyster card hack
On Jul 22, 10:56 am, wrote:
On Jul 22, 10:24 am, " wrote: We don't know what the technique is yet. But assuming TfL have cameras watching all the gates and centralized instant access to every card being used then it's not going to be too easy to exploit even if cloning the card is a simple as running it through a photocopier. Most CCTV images are rubbish and I doubt they'll have the police on standby all to catch the person next time they try and use a gate. As soon as the card is blocked they'll bin it and use another. actually exchange the card. Cloning allows them to skip the need to physically swap the card but can be detected if the card is used at two remote stations too quickly. It all depends if the serial number can be modified. According to this document: http://www.nxp.com/acrobat/other/ide..._MF1ICS50_rev5... its write protected after manufacture. Though given NXPs recent bluffing I'd take that with a pinch off salt. Assuming they can change the serial number and the gates don't store a complete list of valid cards its simply a matter of changing the number as soon as the card is blocked. It depends on whether all the card transmits to the gate is the serial number or whether it includes some extra information - e.g. last gate to have gone through and whether that can be checked by the central system. I've not looked into how oyster works at all - I don't know whether the gates rely on a real time connection to the central system or not. I don't know if weekly travelcards need photo ID as well. If not then I don't think they've needed a photo card for a long time. The other attack is to clone someones card as then exit the tube - shouldn't be too hard to scan their card if, like me, they just stick it in their trouser pocket and the area is crowded enough. If it's No , thats probably not possible. This isn't a powered wireless system such as bluetooth waiting to be contacted. Its powered by the RF it gets through its antenna and for that to be strong enough its got to be very close to the transmitter coil or you need a socking powerful transmitter which isn't going to fit in the palm of someones hand and would probably give the user RF burns even if it did. Even if you could power up an Oyster from a few feet away odds are you might not be able to read the reply anyway if it gives off a really low power signal. B2003 I wasn't considering reading it from more than an inch away. That's why I said a crowded station. If you need to read a card then you just stand near to the exit gates and watch until you see someone pass though and then stick the card in an easily accessible point. You then "accidentally" bump them. Now you've got whatever information the gate was expecting to see on the next trip. It really doesn't matter if the serial number is written to the card in such a way it cannot be modified. It really isn't difficult to built electronics that will read and replay the signals, the difficult part is knowing what data needs to be sent backwards and forwards, especially if there's encryption and a nonce involved so you can't just record something and then replay it later. Tim. |
Oyster card hack
On 22 Jul, 13:39, " wrote:
It depends on whether all the card transmits to the gate is the serial number or whether it includes some extra information - e.g. last gate to have gone through and whether that can be checked by the central system. I've not looked into how oyster works at all - I don't know whether the gates rely on a real time connection to the central system or not. The card has its own memory and enough information onboard that it can be authorised/charged/whatever without checking any central databases. Ticket barriers are online (i.e. have a live network connection) but it would be impractical for them to check a central database during every touch. Bus ticket machines are offline and rely on nightly downloads at the depot. Not sure about standalone validators and other edge cases. I wasn't considering reading it from more than an inch away. That's why I said a crowded station. If you need to read a card then you just stand near to the exit gates and watch until you see someone pass though and then stick the card in an easily accessible point. You then "accidentally" bump them. Now you've got whatever information the gate was expecting to see on the next trip. I think it's been demonstrated that passive cards (like Oyster) can be read from at least a few feet away with the right equipment. U -- http://londonconnections.blogspot.com/ A blog about transport projects in London |
Oyster card hack
On Jul 22, 1:53 pm, Mr Thant
wrote: On 22 Jul, 13:39, " wrote: It depends on whether all the card transmits to the gate is the serial number or whether it includes some extra information - e.g. last gate to have gone through and whether that can be checked by the central system. I've not looked into how oyster works at all - I don't know whether the gates rely on a real time connection to the central system or not. The card has its own memory and enough information onboard that it can be authorised/charged/whatever without checking any central databases. Ticket barriers are online (i.e. have a live network connection) but it would be impractical for them to check a central database during every touch. Bus ticket machines are offline and rely on nightly downloads at the depot. Not sure about standalone validators and other edge cases. Hmmm. ISTM that, at the very least, the card must be transmitting the cost of bus journeys and the cost of tube journeys and what zones have been used. Assume a card has been used off peak in only zones 1 and 2 and the current daily charge is 4.50 with 0 balance left on the card. When you get on a bus, the card should let you on if you've already reached the 3.00 bus cap. But it should not let you on if that 4.50 is all tube journeys because you need another 30p to get up to the 1-2 cap. The more I think about this the more likely I think it is that there will be viable exploits. If the serial number on the card can be reprogrammed then I expect home kits and programs to abuse the system will not take long to appear in the underworld. If the serial number cannot be reprogrammed then I think that's less likely. What would be really neat, (but almost certainly not possible using a standard oyster card) would be to have "magic" cards that change their number. For example, a Sunday trip from Watford Junction to London with enough zone 1 travel to pass the z1-2 cap is cheaper with two cards. - 3.00 each way from WJ-Euston plus 4-80 z1-2 cap. (Z1-8+WatfordJ cap is 12.60) In theory it's maybe possible for the card to tell where it's being touched in or out before it reveals its serial number (at the very least it could possibly start a corrupted transmission first time). So rather than having to have two cards and remember which one to use when, the card could handle all that logic for you. (You can do even better if you touch out/in at willesden junction - total journey cost 6.80 - but that requires you to take the slow train. I can't see how any hack is going to be able to generate a valid touch out. I can that a faked touch in might be possible.) Tim. |
Oyster card hack
|
Oyster card hack
On Jul 22, 3:45 pm, asdf wrote:
On Tue, 22 Jul 2008 07:05:53 -0700 (PDT), wrote: What would be really neat, (but almost certainly not possible using a standard oyster card) would be to have "magic" cards that change their number. For example, a Sunday trip from Watford Junction to London with enough zone 1 travel to pass the z1-2 cap is cheaper with two cards. - 3.00 each way from WJ-Euston plus 4-80 z1-2 cap. (Z1-8+WatfordJ cap is 12.60) In theory it's maybe possible for the card to tell where it's being touched in or out before it reveals its serial number (at the very least it could possibly start a corrupted transmission first time). So rather than having to have two cards and remember which one to use when, the card could handle all that logic for you. (You can do even better if you touch out/in at willesden junction - total journey cost 6.80 - but that requires you to take the slow train. I can't see how any hack is going to be able to generate a valid touch out. I can that a faked touch in might be possible.) What on earth would be the point in such an elaborate scheme? That it's a potentially legal way to want to use a hacked card. All the hack is doing is making sure you don't accidentally use the wrong card at the wrong point. If you've hacked the card then you can just add £100 (or whatever) of PAYG credit, for free, whenever you feel like it. Your card would probably be blacklisted during the nightly synchronisation of the readers with the central database, but it does give you an unlimited day's travel each day for £3 (or, if you can change the card's serial number, not even that). I don't know how quickly the system can react but I'd expect the system to be transmitting the card reported details back to the central system. So there's a good chance of your card being disabled before you even reach your destination if you try and use it on the tube. Tim. |
Oyster card hack
wrote in message ... On Jul 22, 9:40 am, wrote: On Jul 21, 6:25 pm, Tom Barry wrote: Adrian wrote: "Batman55" gurgled happily, sounding much like they were saying: "Details of how to copy the Oyster cards used on London's transport network can be published, a Dutch judge has ruled. " Seehttp://news.bbc.co.uk/1/hi/technology/7516869.stmMaxB And quite right too. Security by obscurity is a laughable farce. Indeed. What NXP were trying to do smacks of claiming you can walk safely off Beachy Head after banning the teaching of the Theory of Gravity. I notice LUL are still claiming Oyster security is perfectly ok. Do they live in a parallel universe or something? The sooner this whole Oyster card b0ll0cks is blown apart the better , then we can get back to normal tickets without any you-forgot-to-touch- out scams. We don't know what the technique is yet. Given that the Oyster central database knows how much money you have on you card, I assume that it's going to work by adding more virtual money to the card, but not to the database. This will enable you to use the card for journeys on a part of the system that is not permanently online (which I guess means only buses). ISTM that this will only work until the remote machine syncs up with the central database, when the fraud will be recognised, the card blocked and the journey analysed to see if there are people making the same journey on hacked cards. Methinks no-one will get away using a hacked card for long enough before they are nabbed, for it to be worth the criminal penalty that they will receive. BICBW tim |
Oyster card hack
Methinks no-one will get away using a hacked card for long enough before they are nabbed, for it to be worth the criminal penalty that they will receive. BICBW The ideal cards to clone would be the staff gate passes. |
Oyster card hack
"Matthew Dickinson" wrote in message ... Methinks no-one will get away using a hacked card for long enough before they are nabbed, for it to be worth the criminal penalty that they will receive. BICBW The ideal cards to clone would be the staff gate passes. Do they open any station, or just the one that they are located at? tim |
Oyster card hack
On Tue, 22 Jul 2008 02:24:31 -0700 (PDT), "
wrote: The easiest exploit is going to be when a few people get together to exploit the cap. Assuming that only one person uses the card at a time then AFAIAA technically they're not breaking the rules so long as they actually exchange the card. Cloning allows them to skip the need to physically swap the card but can be detected if the card is used at two remote stations too quickly. Er, that wouldn't work for capping as the data to perform the cap would be stored on the card, surely, and just occasionally sent back to a central server to ensure it hadn't been messed with? The most likely clone job would be something like topping an unregistered PAYG card up with 50 quid then making 10 copies of it. Neil -- Neil Williams Put my first name before the at to reply. |
Oyster card hack
On Tue, 22 Jul 2008 19:55:17 +0100, "tim....."
wrote: The ideal cards to clone would be the staff gate passes. Do they open any station, or just the one that they are located at? And no use if a grip is carried out because they aren't valid for travel (or I don't think so anyway). Even easier would be to clone a magstripe gate pass, but you'd still be stuck if you got caught. Neil -- Neil Williams Put my first name before the at to reply. |
Oyster card hack
On Tue, 22 Jul 2008 18:18:08 +0100,
tim..... wrote: Methinks no-one will get away using a hacked card for long enough before they are nabbed, for it to be worth the criminal penalty that they will receive. I agree. There's "pickpocketing" a card as someone exits the gate. But it's still not going to work very well if the "pickpocket" makes a regular journey. It might take a couple of weeks rather than a couple of days before red flags come up. And it seems unlikely that any casual user is going to go to all the trouble to save a few pounds - they're far more likely just to sneak through the gates behind someone else. Then there's sharing a card to only have one cap. But I wonder how many people are going to make a journey, then phone their accomplice "Ok, I'm out. Now you make the journey." It's the sort of thing some university students might do to prove it can be done but it seems unlikely there are many other people who will bother. (It would already probably be possible to do this where there's mobile reception - person 1 makes the journey as normal. Then then have a laptop with 3G modem and card transponder. Other person also has a card transponder also wired up to a laptop. Second person touches with transponder - data is transmitted from laptop to laptop and the signals replayed to the card. If you were really careful you might even be able to fool a train inspector with this technique on the overground.) Perhaps the biggest threat is from the people who enter at an ungated, distant station and have a zone 1&2 travelcard. Currently they can just "forget" to touch out - I don't know what systems are in place to detect that - but now they can potentially have a fake card that appears to have a valid touch in if they are inspected on the train. (And is there anywhere in Z1&2 where you can enter or exit without going through a gateline? That would be an obvious way to detect cards being used like this if every Z1&2 station has a gateline) I suppose the other possibility is to have two fake cards, put a few (fake) pounds on each, touch in on one and out on the other. (maybe even have a fake entry on the "out" card). That way, if the system spots the fake entry while you're travelling it can't block the card before attempting to exit with it because it will never be used again. But again, you'd better not have a regular journey doing this because it's still going to be noticed, just not necessarily easy to automatically block. Tim. -- God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t," and there was light. http://www.woodall.me.uk/ http://www.locofungus.btinternet.co.uk/ |
Oyster card hack
Tim Woodall gurgled happily, sounding much like
they were saying: (And is there anywhere in Z1&2 where you can enter or exit without going through a gateline? Yes, at least one - Kensington Olympia. |
Oyster card hack
If the encryption really has been cracked and the protocol documented
then it should be straightforward construct a device that can impersonate a legit card, with a random-but-plausible serial number and balance and journey history, and make it indistinguishable from the real thing. The Oyster technology is low tech enough that it should be possible to do with cheap off the shelf parts, or by repurposing an existing mass-produced device (possibly even Oyster cards). If it didn't have a fixed serial number there'd be no way to block it, short of catching someone in the act. That said, how widespread are fake magstripe tickets? They don't have any encryption as far as I know. U -- http://londonconnections.blogspot.com/ A blog about transport projects in London |
Oyster card hack
On 22 Jul, 21:28, Tim Woodall wrote:
And is there anywhere in Z1&2 where you can enter or exit without going through a gateline? Finsbury Park, Essex Road, Drayton Park (I assume) all DLR stations except Bank, various NLL stations, Upper Holloway, Paddington H&C if the concourse gateline is left open, and probably others. U -- http://londonconnections.blogspot.com/ A blog about transport projects in London |
Oyster card hack
On Jul 22, 9:39 pm, Adrian wrote:
Tim Woodall gurgled happily, sounding much like they were saying: (And is there anywhere in Z1&2 where you can enter or exit without going through a gateline? Yes, at least one - Kensington Olympia. Plus Finsbury Park and Waterloo W&C. -- John Band john at johnband dot org www.johnband.org |
Oyster card hack
Tim Woodall wrote:
Then there's sharing a card to only have one cap. But I wonder how many people are going to make a journey, then phone their accomplice "Ok, I'm out. Now you make the journey." It's the sort of thing some university students might do to prove it can be done but it seems unlikely there are many other people who will bother. There were people who shared paper travelcards by hiding them on the system, for instance someone who commutes from zone 6 to zone one sharing tickets with someone who commutes from zone 1 to zone 6. I know because I saw one of them hiding his ticket. |
Oyster card hack
On Jul 23, 2:56*am, "John Rowland"
wrote: Tim Woodall wrote: Then there's sharing a card to only have one cap. But I wonder how many people are going to make a journey, then phone their accomplice "Ok, I'm out. Now you make the journey." It's the sort of thing some university students might do to prove it can be done but it seems unlikely there are many other people who will bother. There were people who shared paper travelcards by hiding them on the system, for instance someone who commutes from zone 6 to zone one sharing tickets with someone who commutes from zone 1 to zone 6. I know because I saw one of them hiding his ticket. You may not be allowed to share travelcards, but I thought that you were perfectly entitled to share Oyster PAYG with other people on the same day. I still can't see what all the fuss is about. Unless someone invents an undetectable way of adding cash to an existing card, and actually makes their money through selling the system to others without getting caught by undercover police etc, what serious money can realistically be gained by any of this? |
Oyster card hack
On Jul 22, 8:36 pm, (Neil Williams)
wrote: On Tue, 22 Jul 2008 02:24:31 -0700 (PDT), " wrote: The easiest exploit is going to be when a few people get together to exploit the cap. Assuming that only one person uses the card at a time then AFAIAA technically they're not breaking the rules so long as they actually exchange the card. Cloning allows them to skip the need to physically swap the card but can be detected if the card is used at two remote stations too quickly. Er, that wouldn't work for capping as the data to perform the cap would be stored on the card, surely, and just occasionally sent back to a central server to ensure it hadn't been messed with? I'm assuming they can add the necessary journey history to the cards to keep them in sync. The most likely clone job would be something like topping an unregistered PAYG card up with 50 quid then making 10 copies of it. But that's going to get flagged at the end of the day when everything is reconciled - even assuming that multiple cards on the system with the same serial number don't already flag things up sooner that that. So the best hope along those lines is to take a card with just enough money to reach the cap, clone it multiple times and then throw the cards away at the end of the day. Another possibility is people claiming to be tourists selling their now finished with oyster cards for a discount[1]. "I've still got 20 pounds left on my card. I'll sell it to you for a tenner" sort of thing. They only need to be able to fool the top up/journey history machine once to pull that off. Tim. [1] The fact that tourists can't get their money and deposit back straight away if they've used both cash and a credit card to top up the card means I'm sure this is a common genuine situation. TfL haven't worked out that sending a GBP cheque several weeks later isn't very useful. |
Oyster card hack
In message
, at 01:35:05 on Wed, 23 Jul 2008, " remarked: [1] The fact that tourists can't get their money and deposit back straight away if they've used both cash and a credit card to top up the card means I'm sure this is a common genuine situation. TfL haven't worked out that sending a GBP cheque several weeks later isn't very useful. Or maybe they *have* worked out that it's very useful for them (as an extra revenue stream). -- Roland Perry |
| All times are GMT. The time now is 03:21 AM. |
Powered by vBulletin®
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
Copyright ©2004-2006 LondonBanter.co.uk