"“We have lent a huge amount of money to the U.S. Of course we are concerned about the safety of our assets. To be honest, I am definitely a little worried.” "

Chinese premier Wen Jiabao 12th March 2009

""We have a financial system that is run by private shareholders, managed by private institutions, and we'd like to do our best to preserve that system."

Timothy Geithner US Secretary of the Treasury, previously President of the Federal Reserve Bank of New York.1/3/2009

Monday, July 21, 2008

Oyster - a lesson in obsolesence - a cracked technology and money will leak away through the cracks

STOP PRESS Saturday 26th July Transport for London apology Transys Links provided by Watching them watching us of problems agains caused for users on Friday 25th, this was blamed on " incorrect data tables being sent out by our contractor" , whatever that means.

The Epson HX-20 (called the HC-20 in Japan),was the world's first hand held computer. Weighing in at 1.6 KG , th size of an A4 sheet , it provided a small LCD sc reen of 4 lines of 20 characters,a full qwerty keyboard and nNiCad batteries. It had twin Hitachi 6301 @ 0.614MHz with RAM expandable to 32k and Microsoft Basic in ROM, running CPM. It was introduced in mid 1982 they sold over 1/4 million and cost then about £900 Sterling.

Lord Patel, in his days as a software developer used handy ground breaking machine for remote data collection, collecting shop floor data for batch processing.

2 years later Psion, introduced the The Psion Organiser I model, launched in 1984, it was, like the Epson based on an 8-bit Hitachi 6301-family processor, with 4K of ROM and 2K of battery-backed RAM, and had a single-row monochrome LCD screen - this was expanded into the Organiser II in 1986 which had a rudimentary operating system, POPL (the Psion Organiser Programming Language). They cost about £250 sterling but according to sales literature at above link sold for US$199 say £150 then.

These were lighter , truly hand held devices but due to the inability to develop an RS 232 interface Lord Patel gave up developing systems using them - despite Marks & Spencer using them for price Look Ups (PLU's) in stores held on EPROM. Psion later got their act together and produced a good range of machines bit they were never intended for rugged use.

In 1984 a new company (preceded by GR Electronics which then became Oyster Terminals and then Oyster Termiflex ) Oyster introduced the RT80 hand held computer.This was a bright yellow, ruggedised to MILspec, with a 64 line x 30 charcater display, a DIN45 D15pin male serial connector which was crap qiality for attaching a bar code reader. It had an 8086 chipset ran a modified Microsoft DOS with a limited Microsoft CBASIC.

A cradle provided both a serial link to the PC network and charged the batteries - which proved to be a major failing because they suffered an "image" problem and should be run down untl re-charged, so fater downloading data they should have been removed from the cradle , nobody did and the batteries could not be fully re-charged.

Other than that they were fabulous bits of kit. The problem was that Mr Gates produced Windows with a Graphic User Interface and Oyster didn't bother upgrading, so further developments had to wait for palm devices, from Compaq and Hewlett Packard.

All this to show how remorseless and rapidly changing technology makes items obsolete.

Oyster have gone the way of all flesh and have nothing to do with swipe cards for London Transport.

1. Tuesday 15th July 2008
"Thousands of London commuters found their prepaid Oyster didn't work, after a computer system crash disabled card readers across London.

The computer system went down for at least five hours on Saturday morning until around 9.30am. Card readers across the buses, London Underground and trains such as Docklands Light Railway were not accepting Oyster cards for parts of the day." See also BBC report

2. The Oyster card was first issued to the public in July 2003. By March 2007 over 10 million Oyster cards had been issued,and more than 80% of all journeys on services run by Transport for London used the Oyster card. Plans have been afoot to extend their use for small payments by users at shops for low price items, confectionary, drinks, newspapers etc.,

TranSys is a consortium of Cubic, EDS, Fujitsu and WS Atkins who developed the Oyster ( a name obtained at great expense by Saatchi & Saatchi) which was introduced in July 2003. It is based on NXP/Philips' MIFARE standard 1k chips provided by G&D and SchlumbergerSema and the card is a contactless radio transmitter / receiver."Our MIFARE contactless smart card ICs provide the most advanced combination of security and convenience for contactless interfacing in accordance with the ISO 14443A interface standard. "

Subway RFID cards like the Parisian Navigo Pass, the London Oyster Card the Tokyo Suica card and Boston's CharlieCard use the same technology. OECD Policy Guidance - A Focus on Information SEcurity and Privacy Applications, Impacts and Country Initiatives June 2008 is a worthwhile report to read on RFID uses which provide user identity, which has ramifications way beyond paying for a tube ticket...see especially "invisibility of data".

About ten million Mifare smartcards , used for a vraiety of purposes from payment to controlled access to buildings are sold in Britain each year,

Police regularly use information on the adult Oyster card system to get details about passenger movements. BBC London has learned that in the past year they made at least 3,000 requests for information. A young person with criminal convictions, warnings, reprimands and other sanctions committed on the public transport network could have the right to free travel withdrawn, the spokesman said.

"In order to enforce these specific cases, personal information is requested by the Metropolitan Police Service, City of London Police Service and British Transport Police," .

The Information Commissioner's Office has criticised Transport for London for "collecting data without a clear purpose" for the children's photocard. From June Transport for London (TfL) made it mandatory for children aged between 11 and 18 to carry an Oyster photocard in order to gain free travel.

The current balance and ticket data held electronically on the card rather than in the central database and the value held is "loaded" at a preselected barrier or validator.

It is possible to set up automatic direct debit transactions so that when the balance falls below (say) £5 another £20 is written to the card.

The daily transaction data is held and updates the main system overnight - it would be impossible to provide (with current technology and costs) a real time validation in use as it would lead to huge delays.

3. March 10th, 2008 - NXP Semiconductors, the independent company founded by Philips, today announced MIFARE Plus, a revolutionary contactless smart card IC that offers breakthrough security and performance for the cost-sensitive automated fare collection (AFC) and access control markets.

Security is at the heart of MIFARE Plus, which is the only smart card IC of its class to offer strong AES encryption for authentication, integrity and confidentiality, based on a 128-bit key length. MIFARE Plus chips comprise a number of additional security features which, when used optimally in the infrastructure, provide for a system that prevents individuals from being identified and tracked by others. This is entirely related to this bit of prior news...

4. Chip manufacturer NXP, formerly the semiconductor division of Philips and well-known for its Mifare RFID chips, has filed suit against a group of researchers at Radboud University in Nijmegen, Holland. According to information provided by the company, the suit is intended to prevent the scientists from their planned October publication of the results of their research on the poor security of the Mifare Classic chip, a security product that has been sold billions of times over around the world....

"The ball was set rolling when a group of researchers in the Chaos Computer Club scene presented the results of their hardware analysis of the Mifare Classic chip at the 24C3 hacker conference last December(2007). That made public for the first time the functional principle of the secret Crypto1 encryption key, as well as various attacks against glaring vulnerabilities in the encryption and the random number generator. The access key for a card can be cracked within minutes on a PC and, with the help of special hardware, within seconds."

German geek magazine C't published an article by Karsten Nohl , Jan Krissler, Henryk Plötz entitled rather nciely, "Chiptease" Verschlüsselung eines führenden Bezahlkartensystems geknackt - Report,RFID-Hack,RFID, Funkchip, Mobilfunk, NXP, Philips, Mifare, Mifare Classic, Pseudozufallszahlengenerator, PRNG, Crypto1, Stromchiffre, Funkchip, Rainbow-Tabelle, Rainbow Table,c't 8/08, Seite 80 which was in April . They remove the coating and reverse-engineered the cryptographic algorithm.

The security of Mifare cards relies on secret keys with a key length of 48 bits. Knowing the details of the cipher would permit anyone to try all possible keys in a matter of days.

In mid April, researchers of the University College London and the University of Virginia reported that they were also able to recover the algorithm. The researchers recovered the full 48-bit key in 200 seconds on a single PC.

5. Radboud University researcher Wouter Teepe presented evidence on the crack to the Dutch parliament, which has already delayed installation of a €1bn automated payment transport system based on the same core technology. Known as the OV-chipkaart, it is to replace paper tickets on all trams, buses, and trains and is already undergoing trials in Rotterdam. The development of the card, , has been beset with problems. It has also halted use of the Mifare chip for access control of Government buildings.

Designed in the 1990s before processors of that size could handle strong encryption, Mifare has suffered at least three published cracks, according to security experts who have urged Transport for London (TfL) to upgrade the system.

When NXP raised an injunction in June to prevent publication of the architecture of the chip which could lead informed people to hack the RFID cards such as the Oyster "Killing the messenger does not solve the problem," Jacobs said. "This paper serves the interest of our society. The problems are real and should be addressed on the basis of sound and well-informed judgment."

6. A Dutch judge has ruled today that researchers Professor Bart Jacobs and colleagues from Radboud University in Nijmegen can publish details of how to crack the Oyster card (and others in use or under development) used on London’s public transport system. The Judge overturned the injunction sought by NXP , citing freedom of expression laws. "(The) damage to NXP is not the result of the publication of the article, but of the production and sale of a chip that appears to have shortcomings," the court said.

Transport for London says it'll be able to ban hacked cards within 24 hours. Ho.Ho.Ho.

In case anyone thinks this is unusual see PIN Entry Device (PED) vulnerabilities
by Saar Drimer, Steven J. Murdoch and Ross Anderson Cambridge University , Computer LaboratorySecurity Group.

"In Chip & PIN card transactions, customers insert their card and enter their PIN into a PIN Entry Device (PED). We have demonstrated that two popular PEDs, the Ingenico i3300 and Dione Xtreme, fail to adequately protect card details and PINs. Fraudsters, with basic technical skills, can record this information and create fake cards which may be used to withdraw cash from ATMs abroad, and even some in the UK. These failures are despite the terminals being certified secure under the Visa approval scheme, and in the case of the Ingenico, the Common Criteria system. Our results expose significant failings in the entire evaluation and certification process. "

The weaknesses were shown on Newsnight BBC2, 26 February 2008. A video of the segment is also available (alternate version: part 1 and part 2). The full report is online here 37 pages Thinking inside the box: system-level failures of tamper proofing .

In this paper we examine the definition and application of security boundaries in tamper-proof systems. Our working example is the UK card payment system,‘Chip and PIN’, which is an implementation of EMV (the EuroPay, MasterCard and Visa protocol suite) [23]. We show how two models of PEDs fail to protect against tampering and demonstrate real, practical, low-cost attacks. The attacks highlight problems throughout the entire process of specification, design, certification and deployment.

So Boris is left with a serious problem. Well TRANsys has a problem.Well NPX / Philips have a problem. Whilst no reason has ever been given for the breakdown last Tuesday 15th July of the Oyster system it looks highly likely that someone has decided to screw the system.

As we all know the CCTV on the Underground doesn't work if you are intent on murdering Brazilian electricians, it is unlikely that anyone will track the crackers or what the Dutch call 'Zwart Rijden' "Black Riders".

Expect more of the same ...


Watching Them, Watching Us said...

The Radboud University researchers also said that they could send a rogue data transmission to the London Transport Oyster Card readers, which resulted in the ticket exit gates failing over into the locked position.

In many places this is not that much of a problem, but at rush hour, in some of the central London deep Tube stations, with the escalators very close to the exit gates, this could cause disruption, injury or death, especially if a crowd panic results.

Transport for London are being far too complacent about this, diverting the media spin onto just the ticket revenue fraud aspects.

Tom said...

Having installed and set up some of the chip and pin terminals, they can be quite flash with Bluetooth etc. mobile operation, but they mostly phone home down old analogue lines.

I don't have much confidence in electronic banking, what happens if we get rid of cash and there's a run on the bank or a big hack of the whole system?

paul said...

Istanbul has a very simple system, which looks like a watch battery with a handle. You pays your money and you takes your transport. No fuss, no details. I think they call it a jeton, or akbil.
The problem is that its completely useless for tracking terrorists, which is the primary concern of any public transportation system

kevin metternich said...

Why worry about hackers, the system's a mess.

nfo for your readers outside the metropolis.

The Oyster Card is notoriously unreliable. Travellers who care what their journey costs do not have more than £3-90 on their card so's they are immediately alerted when the card subtracts a penalty payment (£4-) from them. Penalty payments appear to be taken at random.
On the Tube, the system appears unable to tell if you're entering or leaving it if you pass through a staff operated barrier at a station.
Automatic barriers don't always work.
If you touch your card against the reader whilst the barrier is still open from the previous traveller, you are at risk of having a penalty payment subtracted. I have, this evening, boarded the Tube at S.Kensington where even the tourists were waiting for the barriers to shut before they presented a card to the reader!! It didn't expedite entry to the station.

I have had cards which instantly subtracted a penalty payment immediately after being topped up.
And I had one card which "died" during its operation and just couldn't be read.

Oh, and the machines which "top up" the cards are utterly capricious in their ability to recognise coin of the Realm.

Welcome to our brave new world.

Watching Them, Watching Us said...

TfL are blaming Transys for crashing the Oyster Card system for the second time in two weeks (Sat 12 July and today Friday 25th July 2008):

"This problem, like the recent issue, resulted from incorrect data tables being sent out by our contractor, Transys (a consortium of the firms EDS and Cubic). Transys has also issued a statement today confirming that they are taking steps to ensure that this does not happen again, that they will undertake a root cause analysis"

Transport for London apology


(C) Very Seriously Disorganised Criminals 2002/3/4/5/6/7/8/9 - copy anything you wish