It appears that security researchers at Radboud University in Nijmegen, in the Netherlands, have extended their previous demonstration of the flaws in their own Phillips MiFare based travel cards, to the similar system used in the London Oyster Card.
See the reports by ZDnet: and the translation of a report about the researchers' evidence to the Netherlands Parliament regarding such transport card vulnerabilities:
- Dutch researchers crack London's Oyster card
- Radboud researchers also cracking Oyster Card
- TfL reponds to Oyster crack claims
They can reportedly use an Oyster Card, and then re-set the monetary balance, something which shows that the system is possibly vulnerable to fraud.
Transport for London claim that they would detect such a scam within 24 hours and so it would only be limited one day's free travel.
However, this assumes that the Dutch researchers, or any criminals exploiting the same vulnerabilities, are using are not spoofing or re-programming the Oyster card's serial number every day, as well as re-setting the monetary credit balance, in which case, this will not be picked up via a nightly accounting reconciliation subroutine on the central database.
If randomly chosen, or specifically targeted Oyster card serial numbers were to be re-programmed, then the Transport for London / TranSys consortium anti-fraud routines could be abused to create a Denial of Service attack on random innocent travellers or specific targets.
More worryingly, it appears that they can also cause a software malfunction in the Tube Gates, which are then jammed shut, after their Denial of Service attack presumably sends the wrong sort of code to the system.
At busy stations during the rush hour, this sort of Denial of Service attack could cause a lot of misery, and could potentially put lives at risk, especially at those stations which have Oyster card barriers very close to the up escalators, where there is a risk of people get trampled by a panicked crowd.
Transport for London must immediately ensure that Tube gates cannot be jammed shut by such a software malfunction. This is a safety issue, and , as such, must be given a far higher priority than any anti-fraud measures.
Transport for London need to actually publicly demonstrate that they have responded properly, to make such potential attacks impossible, and not just issue public relations spin that claim that there is no real problem.