Feeds

Boffins (finally) publish hack for world's most popular smartcard

Mifare weakness official

Build a business case: developing custom apps

Two research papers published Monday have finally made it official: The world's most widely deployed radio frequency identification (RFID) smartcard - used to control access to transportation systems, military installations, and other restricted areas - can be cracked in a matter of minutes using inexpensive tools.

One paper - published by researchers from Radboud University in Nijmegen, The Netherlands - describes in detail how to clone cards that use the Mifare Classic. The chip is used widely throughout the world, including in London's Oyster Card, Boston's Charlie Card, and briefly by a new Dutch transit card. Manufacturer NXP and the Dutch government had tried in vain to prevent the researchers from disclosing their findings, arguing that the findings would enable abuse of security systems that rely on the card.

In July, a Dutch judge rejected the request and gave the researchers the green light to publish their paper. It is titled Dismantling MIFARE Classic and was released at the European Symposium on Research in Computer Security (Esorics) 2008 security conference in Malaga, Spain.

It came the same day that Henryk Plötz, a PhD student at Humboldt University in Berlin, published a master thesis (PDF) that includes the full implementation of the algorithm used in the Mifare Classic. The two documents combined mean that virtually anyone with the time and determination can carry out the attacks, said Karsten Nohl, a PhD candidate at the University of Virginia and one of the cryptographers who first warned of the weakness in December.

"Now the weakness that we and others have been talking about for months can be verified independently by really anybody," he said. "The flip side is that everybody can now attack Mifare-based security systems."

Over the past six months, many organizations that rely on the Mifare Classic have upgraded their systems, but Nohl said he is personally aware of a "handful" of systems used by government agencies or large multinational companies that have been unable to make the necessary changes because of the logistical challenges of issuing new badges to employees.

"One hopes that just based on the announcement, most operators of critical security systems have adopted other technologies besides Mifare," Nohl said.

The Achilles Heel in the Mifare Classic is a proprietary encryption scheme dubbed Crypto1. It contains a flaw that causes it to produce outputs that are so cryptographically weak that attackers can guess the key in a matter of minutes. All that's required is an RFID reader, a modest-strength PC, and about 10 minutes. NXP has said it has sold about 2 billion Mifare Classic cards.

The Radboud researchers have already used the discovery to clone Oyster cards and adjust the amount of credit stored on the pre-pay card. Separate students at the Massachusetts Institute of Technology claim to have found gaping holes in the Charlie Card used to collect fares for the Boston subway.

NXP Semiconductor has downplayed the significance of the flaw, saying the card alone should not be relied on for secured access to buildings and other restricted areas. A more robust card made by the company, the Mifare Plus, can use the so-called Advanced Encryption Scheme (AES), a time-tested algorithm that is widely believed to be secure. ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?