Dutch security researchers rode the London Underground free for a day after easily using an ordinary laptop to clone the "smartcards" commuters use to pay fares, a hack that highlights a serious security flaw because similar cards provide access to thousands of government offices, hospitals and schools.
There are more than 17 million of the transit cards, called Oyster Cards, in circulation. Transport for London says the breach poses no threat to passengers and "the most anyone could gain from a rogue card is one day's travel." But this is about more than stealing a free fare or even cribbing any personal information that might be on the cards.
Oyster Cards feature the same Mifare chip used in security cards that provide access to thousands of secure locations. Security experts say the breach poses a threat to public safety and the cards should be replaced.
"The cryptography is simply not fit for purpose," security consultant Adam Laurie told the Telegraph. "It's very vulnerable and we can expect the bad guys to hack into it soon if they haven't already."The Dutch government has taken the breach seriously and says it is upgrading the smartcard system that secures its buildings. "It's a national security issue," a spokesman for the Dutch Interior Ministry told reporters. "We're in the process of replacing the cards of all 120,000 civil servants at central government level."
According to the Times, Radboud University researcher Bart Jacobs and his team used an ordinary laptop to clone an access card to a building in the Netherlands. When that worked, they went to London to test the technique on the Underground.
No comments:
Post a Comment