Be Excellent To Each Other

And, you know, party on. Dude.

View unanswered posts | View active topics


Board index » General Discussion

All times are UTC [ DST ]



Reply to topic  Page 1 of 1
  [ 5 posts ] 
  Print view Previous topic | Next topic 
Author Message
Dr Lave
 Post subject: Hack my Oyster
PostPosted: Mon Jul 21, 2008 23:24 
User avatar
I forgot about this - how vain

Joined: 30th Mar, 2008
Posts: 5979
kalmar wrote:
Lave wrote:
I watched a video of some people clone a swedish card (that uses the same system as the Oyster aparently) then entered the building it contained.

But I couldnt get all the details as it was in the foreign, so thanks for the info.


Linky? I'd be interested.
There's a lot you can do with the fact that many operators leave the default key in place (FF FF FF FF FF FF) :)

Or it could have been a simple replay attack. Mifare classic can't avoid that, DESFire can.

Edit: Sorry mimi, forgot which thread I was ranting in there :D Ahem.

How about little felt monkehs with a mifare chip and antenna in them?


It's hard to find the original stuff, as the new news has eclipsed the old news when googling.

This is a basically what I saw though:


http://www.engadget.com/2008/03/14/oyster-cards-vulnerable-to-rfid-hack-lots-of-other-systems-too/

From March.

I don't know the ins and outs of it all, because the thesis means I can't spend all hours of the day reading up on some geeky topic. For the next 42 days at least. Then I'll be all over it.

_________________
Curiosity wrote:
The Rev Owen wrote:
Is there a way to summon lave?

Faith schools, scientologists and 2-D platform games.

Top
 Profile  
 
kalmar
 Post subject: Re: Hack my Oyster
PostPosted: Mon Jul 21, 2008 23:38 
User avatar
baron of techno

Joined: 30th Mar, 2008
Posts: 24136
Location: fife
OK, looks like they do have the secret key there (you can see them replacing the default one in the PC app).

If, as they claim, they got that by talking to the card reader on the door, then they must also have a working copy of the algorithm on the PC, and probably brute-force decrypted to get the key (I think that's what the laptop was doing at the start?).

The actual card cloning part is then straight forward, no hackery needed.

So, if you're determined you can do that, but if it was a building that was supposed to be properly secure then they wouldn't be relying on a single, weak method of verification anyway.
Top
 Profile  
 
Dr Lave
 Post subject: Re: Hack my Oyster
PostPosted: Mon Jul 21, 2008 23:41 
User avatar
I forgot about this - how vain

Joined: 30th Mar, 2008
Posts: 5979
kalmar wrote:
OK, looks like they do have the secret key there (you can see them replacing the default one in the PC app).

If, as they claim, they got that by talking to the card reader on the door, then they must also have a working copy of the algorithm on the PC, and probably brute-force decrypted to get the key (I think that's what the laptop was doing at the start?).

The actual card cloning part is then straight forward, no hackery needed.

So, if you're determined you can do that, but if it was a building that was supposed to be properly secure then they wouldn't be relying on a single, weak method of verification anyway.


It's pretty much all my University uses. But then they are idiots and whenever there is a power cut they have to hire a guards to cover each door! 8)

I've haven't really read about it, so I'm not sure what the new problem is thats greater than this one from back in march.

_________________
Curiosity wrote:
The Rev Owen wrote:
Is there a way to summon lave?

Faith schools, scientologists and 2-D platform games.

Top
 Profile  
 
kalmar
 Post subject: Re: Hack my Oyster
PostPosted: Mon Jul 21, 2008 23:45 
User avatar
baron of techno

Joined: 30th Mar, 2008
Posts: 24136
Location: fife
Lave wrote:
I've haven't really read about it, so I'm not sure what the new problem is thats greater than this one from back in march.


I think it was that they showed you how to get the algo out of the card, or actually physically published it (which would be a bit naughty tbh). Haven't actually seen the article myself either though.
Top
 Profile  
 
Dr Lave
 Post subject: Re: Hack my Oyster
PostPosted: Mon Jul 21, 2008 23:48 
User avatar
I forgot about this - how vain

Joined: 30th Mar, 2008
Posts: 5979
Ah that makes sense.

But I suppose if they have got it and they didn't publish, then the oyster card is only secure through (minimal) obscurity, so it's just as fucked pretty much.

Cheers!

_________________
Curiosity wrote:
The Rev Owen wrote:
Is there a way to summon lave?

Faith schools, scientologists and 2-D platform games.

Top
 Profile  
 
Display posts from previous:  Sort by  
Reply to topic  Page 1 of 1
  [ 5 posts ] 

Board index » General Discussion

All times are UTC [ DST ]

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search within this thread:
You are using the 'Ted' forum. Bill doesn't really exist any more. Bogus!
Want to help out with the hosting / advertising costs? That's very nice of you.
Are you on a mobile phone? Try http://beex.co.uk/m/
RIP, Owen. RIP, MrC.

Powered by a very Grim... version of phpBB © 2000, 2002, 2005, 2007 phpBB Group.