Sunday, July 13, 2008

Security By Audacity

Does anyone else think the reason the Oystercard system had a multi-hour outage might be somehow connected with the fact that TFL's response to the class break of the NXP MiFare Classic cards it uses has so far been even worse than the manufacturers'? NXP's contribution to dealing with this has been to sue the Dutch students who demonstrated the exploit, but TFL's has been to write to the papers and say that there is nothing anyone could do with the ability to change any and all information on the cards. Nothing, I tell you!

Which, if it were true, would suggest that the cards are completely irrelevant to the system's functioning, which obviously isn't true...

5 comments:

cabalamat said...

It's the first reason I thought of.

Gridlock said...

Ditto - I was surprised that the press didn't ask the question, and then slightly later surprised that I was surprised.

Do you think they detected 'impossible' usage and panicked, or were fed a "patch" by NXP, or what? Interested to find out what this downtime accomplished, if our theory has merit.

Alex said...

The interesting bit is that the fix seems to involve the cards themselves. So presumably whatever went wrong involved bad data being sent back from the system to the cards.

Oddly, though, people who were affected have been issued new cards; you'd think that if the details on the card had been corrupted, you could just reload them from backup (where backup is the TFL database).


This suggests to me that either something *really* weird happened with them and actually damaged the chips (is someone running about with a powerful RF source in a bag?) or else there's been a violation of the database's own transactional integrity, so that they are regenerating new user accounts for the people involved.

That could be consistent with the appearance of cloned, fraudulent, or spurious cards.

Alternatively, I've read the MiFare paper, and it is clear that an offline attacker could write to the chip. This being a radio device, of course, they don't need physical access to the target...

Tom said...

Try Occam's Razor. TfL's actual engineers, despite what the PR said (and possibly some cognitive dissonance at high levels), will have been looking out (and probably crapping themselves) for odd patterns of usage - the nothing-to-worry-about story is sort of half right if you can spot and stop illegally topped up cards quick enough to make the bad guy give up.

That some species of card-stopping action could have been developed and deployed in a hurry is thus entirely possible. There's obviously no need to build in a revert-to-normal mode when you're nuking a fake, hence the issuing of new cards to blameless punters.

I'm glad I was in Ireland, frankly, where the bus ticket I bought from Limerick to Galway last week came off a big roll from a lady behind a window. Pretty good value too.

Alex said...

Interestingly, some *retailers* lost service to everyone for hours as well. Which implies that not just cards were affected.

kostenloser Counter