Dutch research foundation funds secure travel card development
A Dutch university has won funding to develop an open source travel pass system that ensures the privacy of travellers. Radboud University in Nijmegen has won a grant of around £119,000 from the Dutch Stichting NLnet foundation, a charitable body that supports research and development of internet technologies. Radboud previously demonstrated security weaknesses in current travel card systems, not least those, such as the UK Oyster, based on the Mifare Classic RFID chip.
NLnet hosts regular themed contests from which it selects projects for funding. All funded developments are apparently published as open source. The foundation's announcement stresses not only improved security from card abuse, but also the goal of intrinsic privacy, stating that the proposed development will allow "passengers to buy a personalised card – with tailored discounts – without the need or risk of having all ones travels unravelled." This could be a tempting proposition in the face of function creep that has already allowed Oyster card travel records to be released to law enforcement in the UK for several years.
The announcement also makes a point of the benefits of the project being open source. "By putting the development in an open context and embed privacy in the design phase – and not as an afterthought – we hope to lay the foundations for a next-generation smart card for public transport in the Netherlands and beyond that works and really is worth the full confidence of consumers" said NLnet foundation strategy director Michiel Leenaars.
As if to underline the importance of this research, Radboud University researchers recently spent a day in London travelling the Underground using a cloned Oyster card, and were also able to deny service at an entry gate. In the aftermath of this demonstration, Transport for London have asserted that they can detect and block cloned Oyster cards within 24 hours. However, the Dutch researchers have clearly demonstrated the need for a more robust alternative.