Forgot your password?
typodupeerror
Security Bug Transportation Government The Courts News

Oyster Card Hack To Be Released, In Good Time 246

Posted by timothy
from the crackers-don't-follow-injunctions dept.
DangerFace writes "A little while ago some Dutch researchers cracked the Oyster card, meaning they could get free public transport around London. The company that makes the cards, NXP, sought and got an injunction to stop the exploit being published, but that has now been overruled by a Dutch judge. The lovely Dutch blokes are holding off from releasing the hack for the time being, to give NXP time to secure their systems."
This discussion has been archived. No new comments can be posted.

Oyster Card Hack To Be Released, In Good Time

Comments Filter:
  • You mean... (Score:4, Interesting)

    by Notquitecajun (1073646) on Tuesday July 22, 2008 @09:12AM (#24288045)
    The People don't have a right to free public transportation in London? Somethin' oughtta be done!
    • Why yes, they do (Score:5, Insightful)

      by Jeppe Salvesen (101622) on Tuesday July 22, 2008 @09:33AM (#24288323)

      The sidewalks are great for walking on. At no cost!

      • Re: (Score:3, Informative)

        <Obligatory>We don't have sidewalks in London, you insensitive clod!</Obligatory>

        We do a good line in pavements, but prolonged exposure to roadside air in London isn't exactly good for your health.

        • by bsDaemon (87307) on Tuesday July 22, 2008 @09:53AM (#24288583)

          Prolonged exposure to roadside air anywhere isn't exactly a day at the spa... but then, London does have the distinction of being the only city in the world wherein you can see the air you breathe ;-)

        • Re: (Score:3, Funny)

          Bloody 'ell!! You let tourists walk around all day in unhealthy air?! Greedy, insensitive bastards the lot of you!

      • by Blue Stone (582566) on Tuesday July 22, 2008 @09:51AM (#24288559) Homepage Journal
        > The sidewalks are great for walking on. At no cost!

        Until the ID card surveillance system comes in. Then we pay to walk. To breathe. To exist.
      • Sidewalks, or pavements as they are sometimes known, cost money. Billions of people walk to and fro across and over sidewalks every hour of every day. Every six seconds, 5.72 meters of sidewalk are worn down by human traffic and need to be replaced. People seem to think that sidewalks spring forth from the ground. They don't. They cost money.

        And who is going to pay this money? Who is going to finance the millions of kilometers of much needed sidewalks? Who is doing it at the moment? Why _you_ are. You the humble taxpayer is being forced to hand over your hard earned wages to pay for concrete that will be worn down by other people's shoes! It's ludacrious! Does anyone pay you to tile your kitchen? Do you get free funding, materials and labor when you have to repave your drive. No. Why should sidewalks be any different!?

        What we propose, is a better way, and a better future for you and your children. By forming strategic Public Private Partnerships, we can finance the creation and maintenance of sidewalks everywhere by privatizing them. Businesses can finance construction of sidewalks by modestly tolling the people who use them, passing the costs on to those actually wearing down the paths, and not onto you, the innocent taxpayer.

        Through the Magic of the Free Market private enterprise will deliver better, cheaper and cleaner sidewalks to the general public with no government participation! Businesses will prosper, providing employment for millions and the savings earned in the government budget can be passed on to you through a cut in the top rate of tax. It's a win/win situation for everyone involved!

        Vote yes on Proposition 22. You owe it to your Family.

        • by Random BedHead Ed (602081) on Tuesday July 22, 2008 @10:54AM (#24289371) Homepage Journal
          We're already doing this with roads in America [uspirg.org] so why not sidewalks? The Magic of the Free Market also worked well in bringing about prosperity in Iraq [globalpolicy.org] (imagine how badly it would have gone if we'd relied on public entities rather than contractors). I don't see how this sidewalk plan could go wrong - just make sure you stock up on quarters before you go for a walk. :)
        • by gnick (1211984)

          You made my morning - Thank you.

          What frightens me though is how many people are going to read that and jump on board with your modest proposal...

      • As a resident of New York City, I'm pretty surprised the Metrocard public transportation card system has not been massively compromised in its fifteen years of operation. There have been hacks here and there but for the most part the system has been secure. Good job, guys!

  • by YeeHaW_Jelte (451855) on Tuesday July 22, 2008 @09:16AM (#24288079) Homepage

    but the Universities advocates cracked their shell and the judge clam-ped down on them ...

    sorry ...

    • by smussman (1160103) on Tuesday July 22, 2008 @09:22AM (#24288193)
      No problem.

      But next time, remember that taking all the jokes is shellfish.
      • by oodaloop (1229816) on Tuesday July 22, 2008 @09:32AM (#24288315)
        He didn't use all the jokes. If he did, I'd have to mussel him around.
      • Re: (Score:2, Funny)

        by clone53421 (1310749)

        Q: What does an oyster do when it's hacked?
        A: It gives you the shell.

        Q: How did they hack the oyster card?
        A: They found its chilly seal.

        Hmm... now to get the obligatory ones out of the way...

        In Soviet Russia, the government takes all the jokes.

        Wow! Imagine a beowulf cluster of hacked oyster cards...

        All I want to know is, are there sharks? with frikkin' laser beams? Cause that would be so cool...

        Ok, so they've hacked the Oyster system... but will it run Linux?

        It's simple really... it's like a rental car wi

    • by hkz (1266066) on Tuesday July 22, 2008 @10:00AM (#24288665)

      I believe this would be the same university that previously forbade the researchers from talking to the press.

      Anhyow, the lifting of this publication ban is an excellent thing. The Dutch government has spent a lot of money in this foolhardy public transport chip card system, and is not willing to admit that it's an expensive, deeply flawed trainwreck.

      After the Nijmegen investigators came out with their findings, a contra-expertise report commissioned by the government and performed by Royal Holloway University in London, was selectively edited to remove its harsh conclusions before being sent to parliament. Then, the university cracked down on the freedom of the researchers to speak to the press.

      I, as a Dutch citizen, am happy that this issue is getting some serious sunshine.

      • Re: (Score:3, Interesting)

        by Dutch_Cap (532453)

        Since you're Dutch, you might be interested in the latest C'T magazine (Juli/August). It has an intersting article by a bunch of German academics who reverse engineered the chip a couple of months ago.

        Apparently the chip is a real POS:

        "De milfare classic barst werkelijk van de onveiligheden"
        Translation: "The milfare classic is truly riddled with insecurities"

        "Onze hardwareanalyse zou een stuk lastiger zijn geweest als de Milfare-ontwikkelaars gebruik hadden gemaakt van obfuscatietechnieken in chips

  • Not just Oyster (Score:5, Informative)

    by jnik (1733) on Tuesday July 22, 2008 @09:17AM (#24288109)

    According to Wikipedia [wikipedia.org], the same tech is used by Atlanta, DC Metro, the L, and the T.

    • Just cause you can get a hack for MARTA (the Atlanta system) doesn't make it easier to get around. VERY non-user friendly for first-time or non-often users. Instructions/directions are non-intuitive.
      • Ah, the old "security through obscurity" trick, then?
      • by zappepcs (820751)

        It's done that way on purpose. If you don't know how to get where you are going, you probably shouldn't be going there in the first place. I believe that MARTA made sense *BEFORE* the Olympics, then much of the city changed. I watched some of the pre-games construction. 10lbs of shit and only a 4lb bag. I think the MARTA looks much like it was designed for a city that the city planners had a map of rather than the actual city. Nobody knows which city they had a map of. Perhaps it was Atlanta: from 1936?

    • Re:Not just Oyster (Score:4, Interesting)

      by JaredOfEuropa (526365) on Tuesday July 22, 2008 @09:44AM (#24288473) Journal
      Not just that, very similar technology is used for the Dutch national public transport card that is under development (and currently piloted in Rotterdam). In a case of weird reciprocity, the Royal Holloway University of London wrote a report on the Dutch card system, initially recommending immediate replacement but later changing that to "recommend further investigation".
    • by yincrash (854885)
      This just means they all use Automated Fare Collection systems. It doesn't mean they all use the same company with the same vulnerabilities.
  • Key line (Score:5, Insightful)

    by Dolohov (114209) on Tuesday July 22, 2008 @09:19AM (#24288143)

    While I have mixed feelings about the publishing of exploits, this line hits the nail on the head:

    In its ruling, the court said: "Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings."

    This is an important lesson to companies like Diebold.

    • Re:Key line (Score:5, Insightful)

      by Steauengeglase (512315) on Tuesday July 22, 2008 @09:25AM (#24288233)

      I could be wrong, but I don't think the Diebold fiasco was ever officially denounced and called a bad thing. It got certain people in office and kept others in. I think the powers that be would consider that a rousing success.

      • Re:Key line (Score:4, Insightful)

        by garcia (6573) on Tuesday July 22, 2008 @10:00AM (#24288659) Homepage

        No, I think that the poster was hoping that the commonsense ruling and notation made by the Dutch court would somehow transcend political and oceanic boundaries to the United States. But, unfortunately, it probably never would and if it did, the judge making the ruling would be condemned as a traitor and heretic.

  • Yuk-yuk, I'm here all week... try the veal!
  • Are they serious? (Score:5, Insightful)

    by Anonymous Coward on Tuesday July 22, 2008 @09:24AM (#24288215)

    So let me get this straight.

    1. Researchers discover hole in Oystercard implementation.
    2. Oystercard operator ignores warnings from researchers.
    3. Oystercard operater takes researchers to court instead of working to fix identified vulnerabilities.
    4. Injunction granted.
    5. Injunction overturned.
    5. Researchers continue to give Oystercard operator time to fix their system, in addition to the time they had prior to the court action.

    Were I in their situation I would have publically released information on the hack the moment the injunction was overturned. If vendors of ANY type of system want to fuck with people who show every intention of trying to HELP them, they deserve everything they get.

    • Re: (Score:3, Interesting)

      Probably, fixing the vulnerability would take years and involve a full recall of the cards. That's why NXP wanted to suppress the information. This isn't like some program where it's one auto-update away from being secure again. Now these researchers are going to release the information, chances are good that London will be flooded with cracked cards used by freeloaders. And it will take years to clear up no matter what NXP do. Not sure that's worth the release of an academic paper, to be quite honest. Unle

      • by MoonBuggy (611105) on Tuesday July 22, 2008 @11:34AM (#24289903) Journal

        And it will take years to clear up no matter what NXP do. Not sure that's worth the release of an academic paper, to be quite honest. Unless the purpose of all this is to punish people who make mistakes?

        Your implication that withholding the results would prevent cracked cards being made only works if you make the assumption that only these researchers could/would work out how to break the security. As Bruce Schneier says in the BBC article: "Assume organised crime knows about this, assume they will be selling it anyway,".

    • Re: (Score:3, Insightful)

      by JustKidding (591117)

      Personally, I'd publish the details the very same day, just because they tried to screw them with a court case. They could have just asked nicely.

      On the other hand, these are not a bunch of semi-anonymous hackers, these are academics who have to think about their own future as well, which may explain this "no hard feelings" attitude.

      The good news in this story is that we somehow seem to have at least one sensible judge left.

  • I'm not surprised we Dutch are trying (and apparently succeeding) to hack public transportation systems facilities if you look at the current pricing of our own system. Provides for a good motivation. But the most recent exploit was also the main reason why the introduction of the so-called chipcard is delayed again. Which in turn leads to more development, therefor more costs and thus the prices increase ;)

    • Re:I'm not surprised (Score:5, Interesting)

      by D-Cypell (446534) * on Tuesday July 22, 2008 @09:43AM (#24288461)

      I'm not surprised we Dutch are trying (and apparently succeeding) to hack public transportation systems facilities if you look at the current pricing of our own system.

      I am assuming that you are implying that the Dutch transport system is expensive. Clearly you have never been to the UK. I live an hour away from London by train, if I were to shop around a little and pick the budget airline flights I could fly to Schipol from Gatwick/Heathrow, get the train to Amsterdam Central and a tram to my hotel for a cheaper price than my train journey from my house to the airport!! It really is *that* bad.

      I have been to Amsterdam many times (not *just* for the usual tourist reasons, my grandmother was born there, so I visit family), and I can say without a shadow of a doubt that transport around Amsterdam is many time more efficient and cheaper than transport around London, and I would much rather deal with the bizarre conversations with strangers that have 'had a little schmoke' on late night Amsterdam trams than the strangers that are looking to mug me on the London underground.

      Both of our countries are culturally rich, with a fascinating history, but yours seems far superior when it comes to the management of public services.

      • by Da Fokka (94074)

        I have to second this. IÂm Dutch and many people are claiming that the Dutch public transit system is expensive and inefficient. IÂve been to a lot of countries and I took a lot of trains and buses but our public transit compares favourably to almost any of them. Trains visit most parts of the country with metro-like frequency.

        It really is a shame that the dutch national public transit card suffers from similar problems since it has been compromised too. But a chip card system offers a lot of opti

      • by Joker1980 (891225) on Tuesday July 22, 2008 @10:33AM (#24289083)

        That reminds me of an old 'mock the week' on bbc when Andy Parsons done his train to Glasgow gag.

        "It costs £98.18 to get the train from London to Glasgow, who the hell is going to do that when you can fly to Barcelona for £40, then fly whoever u wanted to visit in Glasgow to Barcelona for £40 and then spend the first £18.19 on sangria".

        • Re: (Score:3, Funny)

          by againjj (1132651)
          And the reason you have £40 + £40 + £18.19 = £98.19 instead of £98.18 is because you put in you 2 cents worth (£0.01) in?
      • I call bullshit on this, either you live in scotland, in which case your trip to london will be longer than your trip from london to amsterdam, or you are comparing bought on the day open tickets to pre-booked cheap tickets, which is just bullshit. Your amsterdam train ride is 7 miles, which if you went the same distance in london is like a zone 2 tube trip for £3.50.

        As for you flight, the cheapest flight will b with a UK airline, and KLM is £122, whereas BMI can get you there fo
        • oh, and just to kill your arguement completly, the longest train trip I could find in Amsterdam , for the furthest north I could get to the furthest south cost £31, which is the same as the trip from glasgow to london just mentioned, which is almost twice as far, so the truth is, mile for mile, transport is cheaper in the UK than the Netherlands.
        • Re: (Score:3, Interesting)

          by D-Cypell (446534) *

          I call bullshit on this, either you live in scotland, in which case your trip to london will be longer than your trip from london to amsterdam, or you are comparing bought on the day open tickets to pre-booked cheap tickets, which is just bullshit. Your amsterdam train ride is 7 miles, which if you went the same distance in london is like a zone 2 tube trip for £3.50.

          To be fair, you are correct, I was comparing the lowest possible journey price to Amsterdam with the highest possible journey pric

      • Re: (Score:3, Informative)

        by drsmithy (35869)

        I am assuming that you are implying that the Dutch transport system is expensive. Clearly you have never been to the UK. I live an hour away from London by train, if I were to shop around a little and pick the budget airline flights I could fly to Schipol from Gatwick/Heathrow, get the train to Amsterdam Central and a tram to my hotel for a cheaper price than my train journey from my house to the airport!! It really is *that* bad.

        Bollocks. I doubt you could fly to _anywhere_ from London without paying at

    • by CastrTroy (595695)
      I think the only way to truly hack the system is to have a system more like debit cards. The card is actually connected to the identity of the person. All information goes back to a central system to verify the card has sufficient funds. Even if the bus just stored the info for later retrieval when they returned to the terminal, I think that would be a big step towards getting rid of any hacks. Any system where the value on the account is located on the card, is bound to be hacked.
      • Re: (Score:3, Interesting)

        The issue is that it's a 'quick touch' system. Debit cards can behave as they do because they are not reliant on pure urgency. Oyster cards work in a way that you touch it to the reader for a second or 2, then it lets you in.

        You're talking about picking an account out of ~8 million accounts on a server somewhere, checking it's balance. That's got to be a good second of simple database system look up as it is (from 'request' to 'result') even if you optimise it hugely. You then have the actual latency from t

        • Re:I'm not surprised (Score:4, Interesting)

          by CastrTroy (595695) on Tuesday July 22, 2008 @12:13PM (#24290445) Homepage
          You don't have to do a database lookup every time they get on the bus. Just store in the bus that they got on, and then debit the amount from the account when the bus returns to the garage at the end of the day. You could even store the amount available on the card, but also have the numbers centrally, so you could run a job that checked for inconsistencies.
  • Free (Score:5, Funny)

    by quarrel (194077) on Tuesday July 22, 2008 @09:24AM (#24288219)

    Information wants to be free.

    Luckily, so does public transport.

    --Q

  • by frenchgates (531731) on Tuesday July 22, 2008 @09:25AM (#24288225)
    The London public transit system sees payment for services as damage and routes around it. Or something like that.
    • If the London public transport system can route around planned maintenance, you're doing pretty well. Unexpected damage is pretty much always a show-stopper. :-(

  • by txoof (553270) on Tuesday July 22, 2008 @09:31AM (#24288301) Homepage

    This is a perfect example of how hacking can benefit the greater good. While it would be great to ride Dutch trains for free, it's obviously not sustainable and therefore I don't mind paying for services I receive. It is rather frustrating however to see companies attack the hackers that have found this weakness. Fixing the weakness will obviously cost money and time, but that is far superior to months of unscrupulous individuals taking free train rides all over the country. The students could have easily distributed this to their friends and community members quietly and cost the rail system thousands (perhaps hundreds of thousands) in free trips before it was discovered.

    The rail company may have been duly diligent in their security assessment of the system, but obviously missed this problem. In this case, the students have provided a very valuable service for FREE. This can potentially improve the overall quality of the rail system. Obviously the rail company needs to spend capital to repair the flaw in the system, but that is superior to discovering and repairing the flaw after thousands of free trips have already been lost. In this case, the money lost in free trips can be reinvested into the service to improve it, rather than just flushed down the drain.

    If companies can change their opinion of hackers that voluntarily point out security flaws to be more positive and less adversarial, everyone can potentially benefit.

    • Re: (Score:2, Informative)

      by shabble (90296)

      While it would be great to ride Dutch trains for free...

      You do realise that the Dutch only cracked the Oyster card, and that the card itself is used in London.

      Which isn't in Holland.

      • by txoof (553270)
        Whoops! I guess I didn't RTFA carefuly enough. Thanks for pointing that out.
    • Re: (Score:3, Interesting)

      by RAMMS+EIN (578166)

      The case of the dutch public transport card has all the indications of nobody actually caring about the things most would consider good. There's been shoddy engineering from the beginning, that's why the system still isn't operational nationwide. The project is also ridiculously overspent, eating into taxpayers' money. If the contractor can't deliver for the price they mentioned, it should be their loss, not everyone else's. Security problems have been apparent for a long time, even though this is denied, i

  • It's a pity (Score:3, Funny)

    by Chrisq (894406) on Tuesday July 22, 2008 @09:34AM (#24288341)
    Its a pity that Cherie Blair didn't know [independent.co.uk] this one.
  • by BovineSpirit (247170) on Tuesday July 22, 2008 @09:38AM (#24288397) Homepage
    Does anyone know if the accidental wiping [bbc.co.uk] of 1000's of Oyster Cards a couple of weeks ago was linked to this? Just curious...
  • TranSys on Caltrain? (Score:2, Informative)

    by lscotte (450259)

    I've noticed that TranSys terminals have appeared along Caltrain here in the San Francisco Bay Area in the past couple of weeks. I wonder if this means Caltrain is moving to the system - and also if they are using a version with the same flaws?

  • by clone53421 (1310749) on Tuesday July 22, 2008 @10:12AM (#24288799) Journal

    a haxor with skillz über-1337
    wanted to ride london's fleet
    but rather than paying
    he found himself saying
    "h4ck1n9 0y573r w0u1d b3 50 v3ry n347!"

  • by A beautiful mind (821714) on Tuesday July 22, 2008 @10:20AM (#24288945)
    It seems really apt to include a link to this [backingblair.co.uk]. I waited for a long time to be able to link this on /.
  • Poor guys.. (Score:4, Funny)

    by 4D6963 (933028) on Tuesday July 22, 2008 @10:24AM (#24288981)

    So Dutch researchers cracked the public transportation pass for London? Boy they're gonna be pretty down when they'll realise they need to travel all the way to London just to get free public transportation.

    Fortunately being Dutch they'll surely find a place to forget about all of this within a walking distance.

  • Wake-up call. (Score:3, Interesting)

    by Pig Hogger (10379) <pig.hogger@gmaCOWil.com minus herbivore> on Tuesday July 22, 2008 @10:44AM (#24289235) Journal

    This is a wake-up call.
    The issue is public transit financing; hardasses who want the public to pay more than their fair share (public transit benefits ***EVERYONE***, including motorists, and most importantly motorists who see decreased congestion; as well as employers who can have their workforce brought on site cheaply, so they don't have to pay exorbitant salaries so the workforce has to be able to afford a car - look no further to see the reasons why jobs are going to China) will only drive fares up, and thus the incentives to cheat (where I live, I cheat all the time; illegally, of course, but in a way that's effectively very hard to catch - it would take a cop to tail me all the time).
    With reasonable fares, the incentive to cheat is simply not there.
    (But transit can't be free; you need a fare to insure systems don't load up with homeless winoes).

    It's like music: with $20 CDs, everyone downloads. Not so when they cost $2.

  • by jaymz2k4 (790806) <jaymz@nOsPaM.jaymz.eu> on Tuesday July 22, 2008 @11:19AM (#24289693) Homepage
    TFL have been saying that whilst the hack does work and is a concern they'll be able to identify cloned or reloaded cards and cancel them, so the most you'd get for your effort is a free travel card for the day.

    "We wouldn't go into what security systems we've got, but we do have extra layers within the whole Oyster system," the spokesperson claimed. "We run daily tests for any cloned cards or rogue devices and none have been discovered. We are aware of the situation in Holland but, at this stage, there's no reason to migrate to a different system due to any security concerns."

    http://www.zdnetasia.com/news/communications/0,39044192,62040565,00.htm [zdnetasia.com]

    When they say 'none have been discovered' its not clear if that includes the Dutch hack. While Im sure there are probably ways around that too in the future and that saying this is partly to play down the impact of 'omg free travel!' I would imagine that an organisation like TFL with the resources they've got they probably can do such scans every evening or in transit. It's interesting regardless to see how this plays out...

    • Re: (Score:3, Insightful)

      by xaxa (988988)

      TFL have been saying that whilst the hack does work and is a concern they'll be able to identify cloned or reloaded cards and cancel them, so the most you'd get for your effort is a free travel card for the day.

      If they increase the deposit on an Oyster card to £5 that should deter people who just want a free travelcard for a day.

  • More seriously... (Score:3, Insightful)

    by cardpuncher (713057) on Tuesday July 22, 2008 @01:44PM (#24292013)
    ... these cards are widely used in physical access control systems: determining who is allowed into buildings or parts thereof. As one of the researchers explained today, part of the delay is to allow extra physical security to be deployed at sensitive locations. I don't think anyone has started to calculate the potential cost of all this, though there are probably one or two lawyers ordering yacht catalogues...

Never invest your money in anything that eats or needs repainting. -- Billy Rose

Working...