Saturday, 3 April 2010

Foiling the Oyster Card

Many people are worried about the privacy implications of the new Transport for London Oyster Smart Card. This promises greater convenience (and some introductory discounted fares) for travel on London Underground railways and Bus services, at the cost of greater surveillance of individuals, since each Oyster Card is uniquely numbered, and has to be swiped at the start and end of each journey. This self tracking behavior is reinforced by the poster advertising campaign and the policy of charging the maximum possible fare unless you swipe the card past the reader at the end of your journey, not just at the start.

The season ticket versions of the card have name and address and credit card details associated with them. Even the new pre-pay cards, which are more anonymous, unless you use a credit card or choose to register the card, still have a unique tracking serial number which can be tied to the omnipresent CCTV Surveillance on London Underground, and increasingly even on London Buses.

The system uses contactless MIFARE based smart cards with distinctive yellow readers at Tube station barriers and on buses.

There is no authentication mechanism e.g. a Personal Identification Number as with "Chip and PIN" credit cards, it depends only on whether the Oyster card is within range of a reader, typically 10 centimetres or so for the readers currently deployed by Transport for London (which is far less than what the equipment is actually capable of). The only security against being accidentaly overcharged or having your private details read or associated with a particular Oyster Card by people operating their own MIFARE scanners, is to shield the Oyster Card from unwanted radio signals. These private details includes information about the last 10 or so trips that you have made, which is data stored directly on the card, and which will be available to the 3rd party retailers who come on board the "electronic purse" aspects of the scheme.



The MIFARE system uses one of the Industrial Scientific Medical licence free frequencies at 13.56 MHz, so it is not illegal for other people to have or to use their own reader equipment.

One way to preserve your privacy somewhat is to shield the Oyster Card with aluminium kitchen foil. This seems to block the readers on the charge up ticket machines even when only the back of the Oyster Card is shielded i.e. you have to remove the Oyster Card from the shielded holder for it to be read/charged up:

Foiling_the_Oyster_Card.jpg

Even if, like us, you do not think that non-Oyster Card readers are very common yet, there is still a case for shielding your Oyster Card. especially the pre-paid one which currently only operates in the central zones 1 to 3. If you travel into London from outside these zones, on a paper ticket which you present to the slot in a Tube ticket barrier on your right, you do not want money to be deducted from your zone 1 to 3 Oyster Card as well - it depends on your physical size as to how close the Oyster Card readers are to whatever pocket or handbag etc you keep your card in.

Similar use of aluminium foil to line pockets or handbags or shopping bags etc. will also block RFID tags on consumer items which have not been "killed" or disabled at the checkout (again, more of a potential problem in the future, rather than a big risk at the moment).

However, if you choose to use such radio frequency shielding techniques, be aware, that you currently run the risk of being suspected of carrying concealed weapons or explosives by the operators of the still rare but controversial "see under your, or your childrens', clothes" Passive Millimetre Wave Radar cameras and scanners being tested by the Police and other military security forces.

UPDATE:

We are getting visitors directed to this article via links from discussions about the security and privacy problems with the new US Biometric passport.

This involves some international "bait and switch" propaganda e.g. the US and UK governments claim "we have to introduce biometric passports because that is what the International Civil Aviation Organisation says we have to do."

Speak to anyone in the ICAO and they say "we are specifying biometric passports because the US and UK government were pushing this policy"

Biometric Passports need a chip inside them, and for some astonishing reason, probably to do with commercial lobbying, the ICAO has specified a contactless smartcard solution. All well and good, except that this is not a very tight specification, and the US Government, has chosen not to use any encryption in its passports, i.e. they have ignored all the technology and experience gained through the issue of millions of Mifare type contactless travel smartcards, like the Oyster card.

This means that US citizines will have their passport details secretely read , through their clothing or luggae, by unauthorised standard reader devices, some of which could be operating with more sensitive antenna and amplification in excess of the normal off the shelf equipment which has to obey local radio frequency allocation power limit regulations. This is a threat to the privacy of US citizens(and any other country stupid enough to copy the US system). In the worst case, there will be terrorist bombs and booby traps triggered by a specific individual's US Passport, or a generic "are there sufficient US passport holders in the imm3ediate area" type detonation command.

The way to overcome this is obviouslty to shield the passport in the same way as the Oyster Card above. However the same laws of physics apply, so you cannot put the chip and antenna into the cover of the passport if you intend to shield it with aluminium etc.

You end up having to have a thickly laminated page, effectively a smartcard , bound into the passport booklet (border control visa ink pad stamps are not going to be phased out). You could then shield the covers of the passport booklet.

This means that instead of a convenient, rapid check like the Oyster card, such a passport will involve fumbling to get the covers open to expose the smartcard page inside, and then presenting it to the reader device. Why on earth couldn't they have used a contact smartcard, like millions of "Chip and PIN" credit cards, or an optical barcode system, which can be read by laser without the risk of it ever being read secretly through your clothes or luggae by radio ?

If the US style passport is not shielded (still an option), and people go for the home brew or commercial (there must be millions of leather and other passport wallets on the market) shielded passport holder, then experience with the Oyster Card shows that you will have to remove the passport from this shielded wallet for it to work. Simply flipping it open will not be sufficient, especially if the offical passport readers are deliberately detuned to only work at a vey short range (so as not to get confused by the next people in the invetiable queue).

All the worries about "see under your clothes" snooping devices applies even more to such shielded passports - this equipment is being introduced in airports first, as it is still expensive. Therefore there will be a number of "false positives" where people are suspected of carrying weapons, explosives or drugs, simply on the basis of their shielded passport holders which will show up in high contrast aginst their "naked" bodies.

Obviously when this happens too many times, the security gurds will become lax, and criminals will start to smuggle small amounts of drugs, explosives or sharp weapons, within the shielded passport holder itself.

No comments: