Oyster Card Hack To Be Released, In Good Time 246
DangerFace writes "A little while ago some Dutch researchers cracked the Oyster card, meaning they could get free public transport around London. The company that makes the cards, NXP, sought and got an injunction to stop the exploit being published, but that has now been overruled by a Dutch judge. The lovely Dutch blokes are holding off from releasing the hack for the time being, to give NXP time to secure their systems."
You mean... (Score:4, Interesting)
Anyone here involved in Oyster? (Score:5, Interesting)
Re:I'm not surprised (Score:5, Interesting)
I'm not surprised we Dutch are trying (and apparently succeeding) to hack public transportation systems facilities if you look at the current pricing of our own system.
I am assuming that you are implying that the Dutch transport system is expensive. Clearly you have never been to the UK. I live an hour away from London by train, if I were to shop around a little and pick the budget airline flights I could fly to Schipol from Gatwick/Heathrow, get the train to Amsterdam Central and a tram to my hotel for a cheaper price than my train journey from my house to the airport!! It really is *that* bad.
I have been to Amsterdam many times (not *just* for the usual tourist reasons, my grandmother was born there, so I visit family), and I can say without a shadow of a doubt that transport around Amsterdam is many time more efficient and cheaper than transport around London, and I would much rather deal with the bizarre conversations with strangers that have 'had a little schmoke' on late night Amsterdam trams than the strangers that are looking to mug me on the London underground.
Both of our countries are culturally rich, with a fascinating history, but yours seems far superior when it comes to the management of public services.
Re:Not just Oyster (Score:4, Interesting)
Re:NXP said no pearls for the swines (Score:4, Interesting)
I believe this would be the same university that previously forbade the researchers from talking to the press.
Anhyow, the lifting of this publication ban is an excellent thing. The Dutch government has spent a lot of money in this foolhardy public transport chip card system, and is not willing to admit that it's an expensive, deeply flawed trainwreck.
After the Nijmegen investigators came out with their findings, a contra-expertise report commissioned by the government and performed by Royal Holloway University in London, was selectively edited to remove its harsh conclusions before being sent to parliament. Then, the university cracked down on the freedom of the researchers to speak to the press.
I, as a Dutch citizen, am happy that this issue is getting some serious sunshine.
Re:let em release it (Score:1, Interesting)
Re:let em release it (Score:1, Interesting)
Why go by public transport at all? If my car isn't in use, and you wouldn't otherwise buy one, why not borrow it? I won't mind cleaning it, repairing it and filling it up with gas. Settle into my house when you get back, I'm not using it right now, I'm too busy at work, earning money to pay pay my way in life.
Wake-up call. (Score:3, Interesting)
This is a wake-up call.
The issue is public transit financing; hardasses who want the public to pay more than their fair share (public transit benefits ***EVERYONE***, including motorists, and most importantly motorists who see decreased congestion; as well as employers who can have their workforce brought on site cheaply, so they don't have to pay exorbitant salaries so the workforce has to be able to afford a car - look no further to see the reasons why jobs are going to China) will only drive fares up, and thus the incentives to cheat (where I live, I cheat all the time; illegally, of course, but in a way that's effectively very hard to catch - it would take a cop to tail me all the time).
With reasonable fares, the incentive to cheat is simply not there.
(But transit can't be free; you need a fare to insure systems don't load up with homeless winoes).
It's like music: with $20 CDs, everyone downloads. Not so when they cost $2.
Re:Are they serious? (Score:3, Interesting)
Probably, fixing the vulnerability would take years and involve a full recall of the cards. That's why NXP wanted to suppress the information. This isn't like some program where it's one auto-update away from being secure again. Now these researchers are going to release the information, chances are good that London will be flooded with cracked cards used by freeloaders. And it will take years to clear up no matter what NXP do. Not sure that's worth the release of an academic paper, to be quite honest. Unless the purpose of all this is to punish people who make mistakes?
cards will be cancelled within a day (maybe!) (Score:3, Interesting)
http://www.zdnetasia.com/news/communications/0,39044192,62040565,00.htm [zdnetasia.com]
When they say 'none have been discovered' its not clear if that includes the Dutch hack. While Im sure there are probably ways around that too in the future and that saying this is partly to play down the impact of 'omg free travel!' I would imagine that an organisation like TFL with the resources they've got they probably can do such scans every evening or in transit. It's interesting regardless to see how this plays out...
Re:I'm not surprised (Score:1, Interesting)
I am assuming that you are implying that the Dutch transport system is expensive. Clearly you have never been to the UK. I live an hour away from London by train, if I were to shop around a little and pick the budget airline flights I could fly to Schipol from Gatwick/Heathrow, get the train to Amsterdam Central and a tram to my hotel for a cheaper price than my train journey from my house to the airport!!
Or, you know, you could book your UK train tickets in advance and then it would be cheaper than any of that lot ;-)
(Although, thinking about it, if it's a "free" flight, so you just pay the £15 tax, then that might be similar to an hour-long train journey to London on some routes. And Amsterdam to Rotterdam (about an hour by train) is €25 anyway, your point really demonstrates how ridiculously cheap the airlines are.)
Re:I'm not surprised (Score:3, Interesting)
The issue is that it's a 'quick touch' system. Debit cards can behave as they do because they are not reliant on pure urgency. Oyster cards work in a way that you touch it to the reader for a second or 2, then it lets you in.
You're talking about picking an account out of ~8 million accounts on a server somewhere, checking it's balance. That's got to be a good second of simple database system look up as it is (from 'request' to 'result') even if you optimise it hugely. You then have the actual latency from the reader all the way down to the mainframe.
You then get the authentication issue - the card needs to send Name, Hash, UID, anything else to make sure someone can't just 'make their own card'... this increases lookup times... and even then, someone can just use a pocket scanner to nick a few people's card signals.
It would be a bold achievement!
Re:NXP said no pearls for the swines (Score:3, Interesting)
Since you're Dutch, you might be interested in the latest C'T magazine (Juli/August). It has an intersting article by a bunch of German academics who reverse engineered the chip a couple of months ago.
Apparently the chip is a real POS:
"De milfare classic barst werkelijk van de onveiligheden"
Translation: "The milfare classic is truly riddled with insecurities"
"Onze hardwareanalyse zou een stuk lastiger zijn geweest als de Milfare-ontwikkelaars gebruik hadden gemaakt van obfuscatietechnieken in chips zoals die al jaren gangbaar zijn"
Translation: "Our hardware analysis would have been much harder if the Milfare developers had used obfuscation techniques in their chip that have been commonplace for years"
'Get the Facts...' (Score:1, Interesting)
The reason the bus routes have had their length cut has been forced on Tfl by an EU directive. This is happening all over the country not only in London.
One evample was the X64 from Guildford to Winchester.
now it runs as the X64 from Guildford to Alton. Whereupon, everyone gets off. The driver changes the service number to X65. Everybody gets back on and off to winchester the charabang goes.
There is a maximum amount you can pay on an OyserCard in any one day. To quote the Tfl web site
Daily price capping automatically calculates the cheapest fare for the journeys you make in a single day
?This means that once to reach the amount of a daily travelcard for the zones you have covered you won't be charged any more.
I don't work for Tfl and do not support the congestion Carge or Low Emissions Zone.
Re:I'm not surprised (Score:4, Interesting)
Re:I'm not surprised (Score:5, Interesting)
That's how the Oyster system works!
Re:let em release it (Score:2, Interesting)
A point to bear in mind.
If you are using an Oyster card on the buses the charge is capped at £3.00 per day no matter how many bus trips you take.
Oh and do you expect local taxes to be just used to subsidise mass transport? Who pays for all the other services that local authorities provide?
Re:I'm not surprised (Score:3, Interesting)
I call bullshit on this, either you live in scotland, in which case your trip to london will be longer than your trip from london to amsterdam, or you are comparing bought on the day open tickets to pre-booked cheap tickets, which is just bullshit. Your amsterdam train ride is 7 miles, which if you went the same distance in london is like a zone 2 tube trip for £3.50.
To be fair, you are correct, I was comparing the lowest possible journey price to Amsterdam with the highest possible journey price to London. I would accept that this might have been a little misleading, but it is not 'bullshit', just a bit dramatic.
The point still stands though, I am fairly certain that we have one of the most expensive public transport systems in the developed world and at the same time are one of the most heavily taxed people in the developed world. Someone is clearly doing *something* wrong.
Re:This is a perfect example... (Score:3, Interesting)
The case of the dutch public transport card has all the indications of nobody actually caring about the things most would consider good. There's been shoddy engineering from the beginning, that's why the system still isn't operational nationwide. The project is also ridiculously overspent, eating into taxpayers' money. If the contractor can't deliver for the price they mentioned, it should be their loss, not everyone else's. Security problems have been apparent for a long time, even though this is denied, ignored, and covered up. One positive effect of this is that the cards were found to contain far more personal information than necessary, allowed, and desirable. So, out of all the things they could have spent their resources on, they apparently chose tracking travelers and otherwise invading their privacy. On top of all that, I am not surprised at all that they would try to silence yet another couple of critics.
Really, this isn't about delivering a good product. I don't know what it _is_ about, but I do know it ends up spending tax payers' money on something that isn't good for them, especially if they travel by public transport. I'd very much like to see this investigated. Even if there wasn't any malicious intent, a lot of harm has been done. We need to know what happened, who ordered it to happen, and who allowed it to happen, because I don't want this to happen again. Sadly, I fear I won't get any sizeable part of the Dutch population to support such an investigation, let alone the government, which seems to have "no investigation into possible mistakes" their credo.
Re:Why yes, they do (Score:4, Interesting)
Hold on now just a second. Are you saying the air down in the tube is better than the air above ground? I beg to differ!
I wouldn't like to compare them, but there was a study done which found that the claim that travelling on the London Underground was as bad as smoking a cigarette was false.
The mass of material inhaled on the underground was comparable to the mass inhaled by smoking a cigarette, but the dust on the tube was mostly iron/steel (from the rails and wheels) or grit (from the tunnels), and was in relatively big lumps that were mostly stopped by the hairs in the nose (as any Londoner knows). Compare that to the pollution above ground or from smoking: tiny particulates of toxic chemicals.
I'd rather sit in a park, but given the choice of sitting by a busy road or an underground railway, I'll take the railway.
(Anecdote: I lived in a flat between one of the main railway lines into London, and one fo the main roads. The windows on the railway side didn't need cleaning very often, even though some of the trains were diesel-powered. The dirt was gritty. On the road-side of the building the windows quickly became oily.)