Oyster travel card security broken and denial of service attacks on Tube gates ?

| | Comments (2)

It appears that security researchers at Radboud University in Nijmegen, in the Netherlands, have extended their previous demonstration of the flaws in their own Phillips MiFare based travel cards, to the similar system used in the London Oyster Card.

See the reports by ZDnet: and the translation of a report about the researchers' evidence to the Netherlands Parliament regarding such transport card vulnerabilities:

They can reportedly use an Oyster Card, and then re-set the monetary balance, something which shows that the system is possibly vulnerable to fraud.

Transport for London claim that they would detect such a scam within 24 hours and so it would only be limited one day's free travel.

However, this assumes that the Dutch researchers, or any criminals exploiting the same vulnerabilities, are using are not spoofing or re-programming the Oyster card's serial number every day, as well as re-setting the monetary credit balance, in which case, this will not be picked up via a nightly accounting reconciliation subroutine on the central database.

If randomly chosen, or specifically targeted Oyster card serial numbers were to be re-programmed, then the Transport for London / TranSys consortium anti-fraud routines could be abused to create a Denial of Service attack on random innocent travellers or specific targets.

More worryingly, it appears that they can also cause a software malfunction in the Tube Gates, which are then jammed shut, after their Denial of Service attack presumably sends the wrong sort of code to the system.

At busy stations during the rush hour, this sort of Denial of Service attack could cause a lot of misery, and could potentially put lives at risk, especially at those stations which have Oyster card barriers very close to the up escalators, where there is a risk of people get trampled by a panicked crowd.

Transport for London must immediately ensure that Tube gates cannot be jammed shut by such a software malfunction. This is a safety issue, and , as such, must be given a far higher priority than any anti-fraud measures.

Transport for London need to actually publicly demonstrate that they have responded properly, to make such potential attacks impossible, and not just issue public relations spin that claim that there is no real problem.

2 Comments

The Times has an article on the subject now:

http://technology.timesonline.co.uk/tol/news/tech_and_web/article4184481.ece

However it does not mention the Tube Gate Jamming denial of service attack.

It does have a creepy bit of complacent media spin from Transport for London:

Transport for London denied yesterday that any security breach had taken place. “This was not a hack of the Oyster system,” a spokesman said. “It was a single instance of a card being manipulated.”

TfL should not be waiting for a fraud or for someone to be injured or killed as a result of a Jammed Tube Gate, before they take action.

This is not a theoretical security weakness, it has actually been demonstrated in practice.

The whole Oystercard system crashed on Saturday 12th July 2008:

http://news.bbc.co.uk/1/hi/england/london/7503197.stm

Card fault hits London transport

The Oyster system on London's public transport network has suffered a fault, rendering the electronic cards inoperable for about five hours.

The cards are used as a form of payment across the city on the Tube, buses, trams and the Docklands Light Railway.

A fault lasting from about 0530 BST to 1030 BST on Saturday meant card readers did not work and some passengers could be charged a maximum fare by mistake.

Transport for London, apologised and said Oyster faults were "very rare".

It said a problem of this nature had not occurred since March 2006.

[...]

A spokeswoman said: "Due to a technical problem with the Oystercard computer system, card readers across the network have not been accepting cards.

"Ticket barriers have been left open so that passengers can pass through therefore journeys have not been adversely affected by this problem."

Machines used to place funds on the cards were also affected by the fault.

[...]

About this blog

This website comments on the policies of the Mayor of London, the London Assembly and the Greater London Authority and actually pre-dates even the referendum which took place before these public bodies were set up.

Email Contact

Please feel free to email us your views about this website or news about the issues it tries to comment on:

blog @mayor-of-london.co.uk

If you need to contact us in confidence, use our our PGP public encryption key or an email account based overseas e.g. Hushmail

Please do not confuse this website with the tax payer funded Mayor of London, the London Assembly and the Greater London Authority website.

Do not confuse that lot with the ancient office of the Lord Mayor of London either.

Hints and Tips for Whistleblowers

There are many good people trapped in the bureaucracies which run London. If you are thinking about blowing the whistle on shadowy and powerful people in Government or commerce, and their dubious policies then you need be very careful these days. The mainstream media and bloggers also need to take simple precautions to help preserve the anonymity of their sources e.g.

Links

Wikipedia article on the Mayor of London

Wikipedia article on the London Assembly

The Evening Standard newspaper - fulfills its role by scrutinising the Mayor and the GLA etc. rather more effectively than the politicians and bureaucrats do.

Mayor of London press releases

London Assembly press releases

MayorWatch - commercial news site about the Mayor of London etc.

Campaign Button Links

Watching Them, Watching Us, UK Public CCTV Surveillance Regulation Campaign
UK Public CCTV Surveillance Regulation Campaign

NO2ID - opposition to the NuLabour Compulsory Biometric ID Card
NO2ID - opposition to NuLabour's plans for Compulsory Biometric ID Card and National Identity Register centralised database.

asboconcern logo
ASBO Concern - alliance of organisations and individuals who are concerned about the abuse of NuLabour's Anti Social Behaviour Orders.

MI5 encrypted contact web form use 999 or 112 to report immediate threats
Encrypted MI5 web response form NuLabour's "Climate of Fear" is not the same as the real fight against terror.

gamesmonitor_logo_150.gif Games Monitor - "Games Monitor is a network of people raising awareness about issues within the London Olympic development processes. We want to highlight the local, London and international implications of the Olympic industry. We seek to deconstruct the 'fantastic' hype of Olympic boosterism and the eager complicity of the 'urban elites' in politics, business, the media, sport, academia and local institutional 'community stakeholders'. "

Peaceful resistance to the curtailment of our rights to Free Assembly and Free Speech in the SOCPA Designated Area around Parliament Square and beyond
Parliament Protest blog - resistance to the Designated Area resticting peaceful demonstrations or lobbying in the vicinity of Parliament.

Save Parliament: Legislative and Regulatory Reform Bill (and other issues)
Save Parliament - Legislative and Regulatory Reform Bill Act

Ken Livingstone Links

Syndicate this site (XML):

December 2014

Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31