Dutch security researchers rode the London Underground free for a day after easily using an ordinary laptop to clone the "smartcards" commuters use to pay fares, a hack that highlights a serious security flaw because similar cards provide access to thousands of government offices, hospitals and schools.

There are more than 17 million of the transit cards, called Oyster Cards, in circulation. Transport for London says the breach poses no threat to passengers and "the most anyone could gain from a rogue card is one day's travel." But this is about more than stealing a free fare or even cribbing any personal information that might be on the cards.

Oyster Cards feature the same Mifare chip used in security cards that provide access to thousands of secure locations. Security experts say the breach poses a threat to public safety and the cards should be replaced.



"The cryptography is simply not fit for purpose," security consultant Adam Laurie told the Telegraph. "It's very vulnerable and we can expect the bad guys to hack into it soon if they haven't already."

The Dutch government has taken the breach seriously and says it is upgrading the smartcard system that secures its buildings. "It's a national security issue," a spokesman for the Dutch Interior

Ministry told reporters. "We're in the process of replacing the cards of all 120,000 civil servants at central government level."

According to the Times, Radboud University researcher

Bart Jacobs and his team used an ordinary laptop to clone an access card to a building in the Netherlands. When that worked, they went to London to test the technique on the Underground.

The hackers scanned one of the Underground's many card readers to collect the cryptographic key that purportedly keeps the system secure. The keys were uploaded to a laptop, essentially turning them into portable card readers. The hackers then brushed up against passengers to wirelessly upload the information on their Oyster cars. That information in hand, it was a simple matter of using it to program new cards.

Jacobs says the same technique can clone smartcards that provide access to secure buildings. "An employee can be cloned by bumping into that person with a portable card reader," he told the Times. "The person whose identity is being stolen may then be completely unaware that anything has happened. At the technical level there are currently no known countermeasures."

Post updated 11:45 PDT

Photos courtesy Transport for London