Transport for London, issuer of the popular Oyster Card, is in the process of upgrading to new, more secure cards.
Two-years ago researchers found a vulnerability on the existing MIFARE contactless smart cards that the agency was using. NXP’s MIFARE Classic line of products was possibly the world’s most widely deployed contactless product, used for many transit and physical security applications. The MIFARE Classic line includes the MIFARE 1K, MIFARE 4K and MIFARE Mini products.
In a paper released detailing the research, the hackers say they discovered the workings of the chip by analyzing communication between the chip and the reader and found out the cryptographic protocol. They also used previously released research of similar encryption hacks.
The line has been used worldwide in transit fare collection systems, access control solutions, and government ID systems. Large issuers include transit projects such as London’s Oyster program, The Netherlands’ OV-chipkaart, and Boston’s Charlie Card.
Transport for London is gradually rolling out NXP’s DESFire cards, which have higher levels of encryption than the MIFARE Classic line. “Transport for London began the phased replacement of MIFARE Oyster cards last year and London Underground ticket offices will continue to gradually swap existing cards as passengers top up, renew or replace lost cards,” says a TFL spokesperson. “There is no difference in using the new cards and cardholders cards do not need to take any specific action to replace their existing Oysters.”
Besides gradually phasing out the older cards with the news ones, the new system also required Transport for London to upgrade the software on the card readers. “The entire Oyster system now accepts DESFire cards as all readers have had new software installed to read the higher level of encryption associated with DESFire cards,” the spokesperson says. “Card holders need to no action to replace their cards as ticket office staff are incrementally replacing cards when they are presented by our passengers either when topping up, renewing season tickets or replacing lost or faulty cards.”