London Oyster Card and MiFare Classic Building Cards Research by Dr. Nicolas T. Courtois
Can one crack and clone a London Oyster Card or a contact-less building card, if one is only allowed to communicate with the card of the victim for a short time, for example sitting next to the victim on the train?
Here are some highlights:
- The “Courtois Dark Side” attack on MiFare Classic,
is more than 10 times faster than the best attack in this category
by Dutch university of Nijmegen, and does not require a costly pre-computation. Many hackers execute this atack, for example with MFCUK tool, as it is extremely practical.
- See slides and eprint paper and here is the older official SECRYPT published version.
- It is estimated that more than 1 billion MiFare Classic cards have been sold covering some 80% of contact-less cards market, they are used everywhere: at Cambridge university, Royal Holloway, UCL, UK Cabinet Office, in Dutch public transit ticketing, etc. etc. In the UK Transport for London have still not revoked even the least secure cards from 2016 studied in this paper/slides. They are still in operation in 2016. Only new cards were updated since 2010, older ones are still in operation.
In practice the best known attack on MiFare classic is obtained by combining this “Courtois’ Dark Side attack” to recover one key with the “Nijmegen Nested Authentication Attack” to efficiently recover more keys.
- Here is a working implementation of the Courtois Dark Side attack.
- Another tutorial was presented at BlackHat Sao Paolo in 2014.
- It works for example for all London Oyster cards emitted before December 2009 and about 70 % of access cards used in buildings around the world.
- To know more about the fine details about practical feasibility and impact see also this paper from 2013 (here is official IEEE version) and these slides and this tutorial).
- Many companies actually use the same cryptographic keys in every card, e.g. in numerous buildings, so that once keys for one card are recovered, all the other cards can be read and written.
- The main open source implementation of the “Courtois Dark Side” attack.
- We also dispose of another fully working proprietary implementation.
- Recent slides by Golic from RSA 2013 and the paper which is very well written but it ignores important technichalities regarding the possibility to actually manipulate the RNG in practice, see this paper and slides.
- New paper about extracting keys from MiFare Classic cards .
- New web page about cloning and hacking MiFare classic by Tim Theeuwes.
- New type of attack with reader only.
- European Patent EP3326296 which is still being reviewed in 2020 because it is clearly invalid: as it omits to cite important prior art. Unethical patent application. In Claim 10 they try to hide where the real “inventions” are made: in extracting keys with no trivial hacks and non trivial cryptographic/mathematical/algorithmic attacks which took years to develop for numerous specialist contributors as seen above. Patent authors aim at exploiting commercially inventions made by others: academics hackers and students, without even acknowledging the already published known sources. This is simply theft of intellectual property.