Oyster cards hacked by Dutch researchers

Questions have been raised about the security of chips in Oyster cards after Dutch researchers claimed to have successfully cracked and cloned cards and travelled on London Underground for free.

According to Dutch publication Webwereld, researchers from Radboud University cracked the Mifare RFID chip, from NXP, used in the Oyster card, travelled on the Tube and then restored the balance on the card. The researchers also claimed to have launched a successful denial-of-service attack against Tube entry gates, causing them to jam closed.

Radboud researcher Wouter Teepe presented evidence to the Dutch parliament on Wednesday, in which he outlined the research. Teepe declined to comment to CNET.co.uk's sister siste ZDNet.co.uk on Wednesday, directing us to a Radboud University spokesperson. The spokesperson also declined to comment, saying only that Transport for London (TfL) had been informed and that the university was preparing a scientific paper on the subject, due in October.

TfL said it runs daily tests for cloned cards and that anyone caught using such a card could be prosecuted.

"We run daily tests for cloned or fraudulent cards and any found would be stopped within 24 hours of being discovered," wrote a TfL spokesperson in an email to ZDNet.co.uk. "Therefore, the most anyone could gain from a rogue card is one day's travel. Security is the key aspect of the Oyster system and Londoners can have confidence in the security of their Oyster cards. Using a fraudulent card for free travel is subject to prosecution."

TfL insisted that Oyster cards have 'robust security' that operates "at different points in the system", and claimed that personal information could not be compromised through a Mifare card hack.

"Should one security measure be breached, another will protect Oyster cards and the system as a whole," wrote the spokesperson. "No personal information is stored on an Oyster card and specific information relating to the individual card holder (name, address, telephone, etc) is stored on a central database and kept separate from journey data."