Oyster card security broken.

Oyster cards are cards containing RFIDs which facilitate transport on the London Underground (and overground) networks. I had been wondering for a while how exactly they worked, but not finding much detailed information online I based my conclusions initially on my observations.

Here is what I have deduced.

1. Each RFID card has a unique ID which is recorded during each transaction with a card scanner.

Any Oyster user can access their usage history, either online or via a Oyster top up machine. This presents an interesting problem – if you can check up on where your card has been, what is to stop Transport for London from using the same information? Either individually or as part of the collective, it presents a very detailed picture of individual and mass use of the transport network.

2. The RFID works passively and contains a small amount of EEPROM.

Given that the Oyster card needs to be ‘tapped’ on the reader every time, it is safe to assume that the RFID does not have an internal power source. Instead, it only becomes ‘active’ with the energy it obtains via induction from the electromagnetic field close to the surface of the Oyster touch point. This energy is sufficient to power up the (presumably) CMOS device which then sends the encrypted data to the reader. It is not clear at this point whether the reader then sends back a response with the new balance to the card, or whether the entire ‘transaction’ process is done on the RFID card.

3. The information stored on the EEPROM is encrypted, most likely with symmetrical cryptography.

4. When scanned, the information from the Oyser card is used, it is not pulled from a central server.

When updating the Oyster card the card itself must be touched against a scanner. If this is not done the balance is not applied. I initially believed all balance and travel card information was securely stored on a ‘mothership’ server. This clearly can’t be entirely the case. Although, when a top-up is bought online, it is stored in the Oyster system until the Oyster card is touched on a reader somewhere in London. This suggests there is a ‘mothership’ server which records all this information, although it is likely it is only linked to newsagent kiosks and top-up points, not the barriers themselves otherwise there would be no need to store the information on the card.

5. Not only can the RFID store a balance, it can also store season tickets for a variety of durations and zone validities.

However, the title of the post suggests the security is broken, and indeed it is, although not through my investigations. A Dutch team took this a step further.

It turns out almost all my assumptions were correct, the Dutch team used a portable device to ‘touch-in’ on an Oyster reader, this disclosed the encryption key used on the Oyster device which they then stole. In possession of this, not only could they decrypt any Oyster card to determine how the information was stored but they could also theoretically generate any balance or season ticket, which encrypted properly would be indistinguishable from the real (paid for) thing.

However, to avoid no doubt countless hours of reverse engineering, the Dutch team brushed up against commuters on the tube and wirelessly interrogated their cards, stealing the information that was on them. This allowed the team to effectively clone cards which were valid, entitling them to free travel.

But the story does not end there, it turns out the company that makes the RFIDs for Oyster cards is called MIFARE, and their chips are used in a wide variety of sensitive installations in a variety of countries.