I hacked oyster -NFC hacking

[Boris Sprinkler]

Ok maybe not oyster but the equivilent here. It uses NFC technology, using a raspberry pi and an NFC card reader, I purchased an anonymous card and put a tenner on it.
Using some tools from kali Linux I then broke the Des encryption and took a dump of the fully loaded card. I used it to get home ( I have a valid monthly pass, so not cheating anything) the next morning I reloaded the original dump and boom! Back to full credit. This is possible on the London system too.

I will write to those responsible for the system here just to cover my arse, get them to fix it but thought it interesting to share. Free travel if you pay for an anonymous Card with cash.

 

[Maurice Picarda]

AFAIK the London system holds details about the account - even an anonymous prepaid - centrally.

 

[Boris Sprinkler]

Even for tourists paying for an Oyster card with a prepaid Visa card bought via bitcoin?

 

[Boris Sprinkler]

I'm not condoning such behaviour my job is to find holes in systems and processes. I am lucky to have a job that I enjoy.

 

[xenon]

I don't know a lot about this stuff but why the fuck are they using DES? The world and his brother know it's weak.

 

[Maurice Picarda]

Even for tourists paying for an Oyster card with a prepaid Visa card bought via bitcoin?

I'm not saying that Shashi Verma's goons will track you to your lair and break your kneecaps, just that the individual account and the products or usage associated with it are managed centrally. So hacking the card won't give you free credit. AFAIK.

 

[maomao]

Can't you buy them with cash in a tube station?

 

[pesh]

you can.

 

[Boris Sprinkler]

Then you can get free credit. But it will certainly show anomalies in a logging system. If you get caught doing it, it's not going to be the usual fare evasion fine

 

[Chz]

AFAIK the London system holds details about the account - even an anonymous prepaid - centrally.

You can use this method to blag a free bus ride, as they only upload their data at the end of the day. But there's no way the Tube would let you get away with it.

 

[kraepelin]

Wasn't there some buzz a while back, some guy found a hole in the french system a, more a proof of concept than a fully formed hack. And that seemed to come to nothing.

Given how simple your hack seems,
Just seems if it was that easy it would have surfaced long ago. With it using off the shelf tools.

Also i would be careful, if i truely found a hole i would at least offer it to tfl before i made it public. Give its supposed easy coupled with the cost if travel now. It could cost tfl billions

 

[Pingu]

now this is where my skills and mr sprinklers should be used together. mr sprinklers for teh leet haxor stuff and my data analysis capabilities to track how tfl would spot the anomolie

my guess is one or two journeys wouldnt trigger anything and i dont think real time data analysis is used by tfl (they are certainly not a customer of any of the techs that are capble of doing this well) so you would probably get 24 hours before a report was run. Unless they have their threshold triggers set really low which wouldnt be very efficient as they would get many false positives.

 

[Bob_the_lost]

The real trick is to be able to skim oyster details at a distance so that you can pick up other people's cards. That way you can avoid the central monitoring aspect. It's of negligable benefit though, you'd need to use it a lot to recoup your costs and it'd be far too easy to spot any location/time based patterns and/or trawl through CCTV footage.

 

[Bob_the_lost]

In some respects the Oyster system, and it's lack of cryptographic quality, is a good example of 'good enough' security. Enough to discourage abuse but not so much that it is prohibitively expensive or hinders the system in another manner. On the other hand the total maximum you can benefit is also very low which removes the drive to compromise it.

Edit: It seems i have nothing productive to bring to this Crypto-Anarchist community

 

[Mr Smin]

They used to have even weaker security:
https://www.schneier.com/blog/archives/2008/08/hacking_mifare.html

Also, even tube stations are not reconciling transactions in real time. If you do online top-up or are sent a refund, you have to nominate a station to collect it from. This indicates you are not contacting a central server when you go through the barriers. This does make sense - imagine the chaos if a central authority was down or unreachable.

 

[Mr Smin]

In some respects the Oyster system, and it's lack of cryptographic quality, is a good example of 'good enough' security. Enough to discourage abuse but not so much that it is prohibitively expensive or hinders the system in another manner. On the other hand the total maximum you can benefit is also very low which removes the drive to compromise it.

Edit: It seems i have nothing productive to bring to this Crypto-Anarchist community

When you say crypto-anarchist in this thread, do you mean anarchist cryptographers, or anarchists who are wearing a mask of a different political identity? Just asking

 

[Bob_the_lost]

When you say crypto-anarchist in this thread, do you mean anarchist cryptographers, or anarchists who are wearing a mask of a different political identity? Just asking

I plead the third, to quote the great philosopher.

 

[ExtraRefined]

Then you can get free credit. But it will certainly show anomalies in a logging system. If you get caught doing it, it's not going to be the usual fare evasion fine

Something along these lines

 

[Edis Goldner]

Something I found on Wikipedia – "Oyster uses a distributed settlement framework. All transactions are settled between the card and reader alone. Readers transmit the transactions to the back office in batches but there is no need for this to be done in real time. The back office acts mainly as a record of transactions that have been completed between cards and readers."

Essentially, this means that the cards are more or less completely anonymous, adding to the fact that you can pick them up anonymously at tube stations and don't have to register any personal or bank information. Also, this means that there's no real-time login to a centralised system which hosts the electronic wallet data, so assuming you have the encryption key, you can tap into what's on the MIFARE chip. That's probably because of the cost involved in creating a real-time communication network across London, as well as the difficulty in achieving near 100% uptime too. Anyway, back to the decentralised aspect of the cards. It turns out that a group of Dutch researchers managed to hack the Dutch OV Chipkaart with MIFARE and then Oyster too ( http://news.bbc.co.uk/1/hi/technology/7516869.stm ). They did it by capitalising on this "distributed settlement network" and found that they could use an RFID reader to hack a reader at a station or on a bus et cetera and steal its encryption keys. They then found they were thereby able to access the transportation data on any card, so this would include cash balance, ID number for the card and any other details like bank account details and fare history. However, they found they could also use the decrypted data to add fake credit to the card fraudulently, clone the card and even use it to travel for at least a day, because of the reader data getting sent back to an office everyday.

 

[Boris Sprinkler]

Spook.