It just goes to show, having an aluminium lined wallet could really be useful! Hackers in the Netherlands found they could clone an access card using the Mifare chip, after that they traveled to London to try their technique out on the Oyster card (used on the London Underground), which uses the same chip.
It just goes to show…implementation of these cards really isn’t good yet.
Dutch security researchers rode the London Underground free for a day after easily using an ordinary laptop to clone the “smartcards” commuters use to pay fares, a hack that highlights a serious security flaw because similar cards provide access to thousands of government offices, hospitals and schools.
There are more than 17 million of the transit cards, called Oyster Cards, in circulation. Transport for London says the breach poses no threat to passengers and “the most anyone could gain from a rogue card is one day’s travel.” But this is about more than stealing a free fare or even cribbing any personal information that might be on the cards.
Oyster Cards feature the same Mifare chip used in security cards that provide access to thousands of secure locations. Security experts say the breach poses a threat to public safety and the cards should be replaced.
Apparently they can only use the cloned card for one day’s travel, but still…what would stop them from doing it every day?
Or cloning an access card to a more important place and wreaking some havoc there.
The hackers scanned one of the Underground’s many card readers to collect the cryptographic key that purportedly keeps the system secure. The keys were uploaded to a laptop, essentially turning them into portable card readers. The hackers then brushed up against passengers to wirelessly upload the information on their Oyster cars. That information in hand, it was a simple matter of using it to program new cards.
Jacobs says the same technique can clone smartcards that provide access to secure buildings. “An employee can be cloned by bumping into that person with a portable card reader,” he told the Times. “The person whose identity is being stolen may then be completely unaware that anything has happened. At the technical level there are currently no known countermeasures.”
So break out your tinfoil hats and alumnium hats, the smartcard hackers are coming to a building near you soon.
The Dutch government are taking this VERY seriously, planning to replace all 120,000 smart cards used by their employees for access. That will be an expensive excercise.
I wonder will Oyster make any changes following the media coverage on this?
And what rights does a consumer have after their card is cloned and their credit used, are they insured? Would they even notice? Who’s responsiblity is it?
Source: Wired Blog (Thanks to razta).