Forgot your password?
typodupeerror
Hardware Hacking Build

Hacked Oyster Card System Crashes Again 95

Posted by kdawson
from the no-pearls-in-sight dept.
Barence sends along PcPro coverage of the second crash of London's Oyster card billing system in two weeks. Transport for London was forced to open the gates and allow free travel for all. "There is currently a technical problem with Oyster readers at London Underground stations which is affecting Oyster pay as you go cards only," explains the TfL website. This follows the first crash two weeks ago, which left 65,000 Oyster cards permanently corrupted. Speculation is increasing that the crashes may be related to the hacking of the Oyster card system by Dutch researchers from Radboud University, though TfL denies any link. Plans to publish details of the hack were briefly halted when the makers of the chip used in the system sued the group, although a judge ruled earlier this week that the researchers could go ahead. During the court action, details briefly leaked on website Wikileaks.
This discussion has been archived. No new comments can be posted.

Hacked Oyster Card System Crashes Again

Comments Filter:
  • Wikileaks problems? (Score:5, Interesting)

    by wile_e_wonka (934864) on Friday July 25, 2008 @09:04AM (#24334255)

    details briefly leaked on website Wikileaks

    What? "briefly" leaked? Does this mean Wikileaks removed those details? I thought that was against Wikileaks policy.

  • by Aceticon (140883) on Friday July 25, 2008 @09:10AM (#24334345)

    ... bullshit.

    This morning when I was exiting from the destination tube station (the system crashed while I was traveling) there was both one guy shouting and announcements through the information system telling us not to "touch out your card" (meaning, don't have it read by the reader).

    If there is no risk of the cards being corrupted, why where they giving us those instructions?

  • by internewt (640704) on Friday July 25, 2008 @09:16AM (#24334457) Journal
    This article on the BBC site:
    http://news.bbc.co.uk/1/hi/technology/7516869.stm [bbc.co.uk]
    Says in the last line

    The Dutch group is one of three known to have cracked the Mifare Classic technology.

    I haven't heard any other reports of other groups having confirmed to have cracked this system, so does anyone else know what the BBC are on about? But if they are right, then its pretty safe to say that people have been running about with cloned oyster cards for a while.

    Unfortunately there don't seem to be any real details of how the copying is done, but I do wonder if the copying process is as simple as that if you can read a card you can clone it? If thats the case, if you need a new card (you will every 24 hours from what I've seen if you're using cloned cards), you just bump into someone on the way into a station with a reader about you person and clone theirs!

    With there being two major fuck ups of the oyster system in 2 weeks, I am thinking that someone is really trying to make changes to the oyster system that it can't cope with...... and they would only try and really push the system if copying the cards is actually really easy, or they already have a problem with cloned cards that they're not talking about.

  • by Anonymous Coward on Friday July 25, 2008 @09:17AM (#24334473)

    dammit i forget my card one day, buy a day ticket and i could have gone for free all along!

    i really dont get why people think the uk system is very vulnerable when the systems in europe (well paris, madrid, rome, barcelona anyway) are all based on magnetic strips which are much cheaper/easier to reencode than the oyster cards.

  • by pjt33 (739471) on Friday July 25, 2008 @09:21AM (#24334545)
    I find myself wondering why Transys have to send any data. What do these "data tables" contain?
  • by Anonymous Coward on Friday July 25, 2008 @09:24AM (#24334605)

    Not touching out means you pay the maximum possible fare for your journey rather than the actual fare.
    It's one way to recoup the cost of having to open the gates I suppose.

  • by theMassOfToe (1185695) on Friday July 25, 2008 @09:58AM (#24335311)
    The Oyster card system requires you touch your card at the start and end of your journey, or it defaults to charging the maximum fare (which is alot - now about £4.00 I think).

    But there are cases outside the norm where this penalty is charged unjustly - like on the way to a special event when the tube's packed, or when you forget something and have to leave the station without travelling. The fare/penalty is charged automatically and you might not even notice, but of course to get it refunded you have to phone a helpline with all the usual crap to go through, so you end up being out of pocket.

    The system is absolute and doesn't allow leeway for people's imperfect/unexpected behaviour. A few breakdowns on TFL's side are only fair therefore, as they help even the financial balance a bit.
  • by Yvanhoe (564877) on Friday July 25, 2008 @10:07AM (#24335469) Journal

    Unfortunately there don't seem to be any real details of how the copying is done, but I do wonder if the copying process is as simple as that if you can read a card you can clone it?

    From what I have read, you can gather enough information to clone a card through two different ways :
    * Eavesdropping the communication between the attacked card and the reader (completely passive)
    * "Bumping" into someone with a reader that will fake official readers and ask the card for an ID and a challenge. The challenge is easy to brute force because of a flaw in the randomness generator.

  • by Jellybob (597204) on Friday July 25, 2008 @10:11AM (#24335553) Journal

    Yeah, that's the theory. In practice it seems that if a bus goes out with a working Oyster reader, it'll die by the end of the day ;)

    I've lost count of the number of times that I've been told to just get on, because the reader isn't working.

  • by Anonymous Coward on Friday July 25, 2008 @10:46AM (#24336117)

    Card hacks like this are a total waste of everyone's time including the researchers!

    I don't know the specifics of the Oyster system, but I promise you the card is very, very dumb. So dumb the possibility of 65,000 cards being corrupted in one time is not the card's fault.

    How can I possibly know that? Well, if the submitter knew anything about value transfer cards, he would know that cards that store value require microseconds to transfer the value. Those microseconds translate into the rider having to -stop and wait- in order to transfer value. Which all mass transit riders know would be an absolute mess. So, the card carries, at most, a disguised unique ID with all the value transfer happening on some backend.

    Now, the backend voiding 65,000 cards is easily possible. It's gross mismanagement on the part of the person publicly communicating the issue that they are describing the cards as broken.

    Finally, how much does one stand to make cracking a transit system at the subway level? Not much at all. Steal a few rides? Let's say you want to mass-produce your hack, where are you going to get the cards for that? Those are two simple issues. There are many others....

    This leads me to believe there are political forces at work regarding a new service/IT contract for the system if the story gets more attention than a summary on slashdot.

    Check into Chevron paypass crack. This is actually do-able by someone well-grounded in rf electronics. To give you an idea of how bad that system is, you send the receiver odd keys (FFFFFFFFFF) to discover facts about the weak encryption. Which is *exactly* why every self-respecting American geek should avoid paypass and the contactless Visa/Mastercards like the Black Plague.

  • by Naito (667851) on Friday July 25, 2008 @11:18AM (#24336637)
    This Oyster card seems like a bad rip off of Hong Kong's Octopus card [wikipedia.org] system. Why didn't they just use that anyway? NIH syndrome?
  • by xaxa (988988) on Friday July 25, 2008 @11:30AM (#24336833)

    Card hacks like this are a total waste of everyone's time including the researchers!

    I don't know the specifics of the Oyster system, but I promise you the card is very, very dumb. So dumb the possibility of 65,000 cards being corrupted in one time is not the card's fault.

    How can I possibly know that? Well, if the submitter knew anything about value transfer cards, he would know that cards that store value require microseconds to transfer the value. Those microseconds translate into the rider having to -stop and wait- in order to transfer value. Which all mass transit riders know would be an absolute mess. So, the card carries, at most, a disguised unique ID with all the value transfer happening on some backend.

    Not true, at least for the Oyster card. It stores a value as well as an ID. There are several thousand buses in London, each with an Oyster reader, and no reliable, fast way to access a central database (of several million cards) from the buses.

    When you add credit to a card, you touch the card to the ticket machine, insert coins, press the "I'm done" button, and then touch the card again -- further demonstrating that the card has more than an ID, it needs to be updated to know how much money has been added to it.

    Which is *exactly* why every self-respecting American geek should avoid paypass and the contactless Visa/Mastercards like the Black Plague.

    I'm interested in the contactless VISA/MasterCard, I'll get one as soon as I'm offered one. But here, they guarantee to refund any transactions not made by the cardholder.

  • by soliptic (665417) on Friday July 25, 2008 @05:12PM (#24342381) Journal

    I admit I know effectively zero knowledge, let alone intimate knowledge, about transit card systems, but I'm fairly sure xaxa is correct. I'm fairly sure I remember reading that Oyster was asynchronous, ie value was stored "distributed" on the cards not on a single centralised/trusted database.

    This tallies with reality, I can jump off a bus, onto another, then quickly off that and head straight into the tube, and the tube barrier will reflect the money I just spent on the buses. Without fail. There's clearly no way the buses have "docked" at the depot, and would these mobile phone modems be "always on"? It doesn't seem right to me. There are 8000 buses, which are actually owned/operated by a multitude of sub-contracted private companies, it seems like storing value on the card would be an easily proposition than relying on all those mobile phone modems staying permanently connected? On the flipside, it would be pretty slow to complete a bus rider boarding/paying with an oyster card event - how slow are we talking about here? The AC talks of "microseconds", which is no problem at all, the Oyster generally does need to make fairly decent 'contact' with the reader, a highly vague/fast dab will often fail to read. I'd easily call it a 10th of a second 'pause' as you swipe - be generous, call it a 20th - that's still 50 microseconds, isnt that enough to transfer a single currency value?

    That's genuine curiosity in those questions, btw, not rhetorical hostility. Like I said, I don't know much about this stuff and happy to learn, but I do remember reading it was on the card...

    WP says, incidentally:

    The system is asynchronous, with the current balance and ticket data held electronically on the card rather than in the central database. The main database is updated periodically with information received from the card by barriers and validators. Tickets purchased online or over the telephone are "loaded" at a preselected barrier or validator.

    But when I say read, I mean somewhere more 'solid' than WP... Can't find a reference now...

One possible reason that things aren't going according to plan is that there never was a plan in the first place.

Working...