London Oyster Card and MiFare Classic Building Cards Research by Dr. Nicolas T. Courtois
Can one crack and clone a London Oyster Card or a contact-less building card,
if one is only allowed to communicate with the card of the victim for a short
time, for example sitting next to the victim on the train?
Here are some highlights:
- The “Courtois Dark Side” attack on MiFare Classic,
see slides and paper is more than 10 times faster than the best attack in this category
by Dutch university of Nijmegen, and does not require a costly pre-computation.
- It is estimated that more than 1 billion MiFare Classic cards have been sold covering some 80% of contact-less cards market, they are used everywhere: at Cambridge university, Royal Holloway, UCL, UK Cabinet Office, in Dutch public transit ticketing, etc. etc. In the UK Transport for London have still not revoked even the least secure cards from 2016 studied in this paper/slides. They are still in operation in 2016. Only new cards were updated since 2010, older ones are still in operation.
- In practice the best known attack on MiFare classic is obtained by combining this “Courtois’ Dark Side attack” to recover one key with the “Nijmegen Nested Authentication Attack” to efficiently recover more keys. Here is a DETAILED explanation about how to recover cryptographic keys for most MiFare Classic cards at home with the ACR122 reader:
do it yourself: hacking MiFare Classic cards.
- Another tutorial presented at BlackHat in 2014.
- Here is a working implementation of the Courtois Dark Side attack.
- It works for example for all London Oyster cards emitted before December 2009 and about 70 % of access cards used in buildings around the world.
To know more about the practical feasibility and impact see also this paper from 2013 and these slides and this tutorial).
- Many companies actually use the same cryptographic keys in every card, e.g. in numerous buildings, so that once keys for one card are recovered, all the other cards can be read and written.
- The main open source implementation of the “Courtois Dark Side” attack paper/slides).
- We also dispose of another fully working proprietary implementation.
- Recent slides by Golic from RSA 2013 and the paper which is very well written but it ignores important technichalities regarding the possibility to actually manipulate the RNG in practice, see this paper and slides.
- New paper about extracting keys from MiFare Classic cards .