Mifare hacks and risk assessments
Contributed by Joanne C. Kelleher
When news initially hit that the Mifare Classic card was hacked by a University of Virginia graduate student Karsten Nohland and two German partners I wasn’t going to blog about it. I’ve covered several other RFID -related technologies which have been hacked. What usually happens is the community and/or the technology owner ignores the attack or says it doesn’t matter. Initially NXP Semiconductors, a Netherlands-based company which owns and licenses the Mifare line, did the same thing.
Article: Hackers claim RFID smart-card hack, but vendor disagrees
SC Magazine, March 05, 2008
But the follow up to this hack has been different. It has received international press from the RFID, computer and security industries and NXP has responded in a variety of way.
The Mifare Classic, an inexpensive access card which uses 48 bit security, is used by public transport systems such as London’s “Oyster” card and Boston’s “Charlie” card.
Initially, parts of Nohland’s findings were published at the Chaos Computer Camp hacker’s conference in Berlin last December. As the Mifare Classic is widely used to access buildings and is about to be launched as a common means of payment for all forms of public transport in The Netherlands, there was a lot of publicity and political discussion in that country. A report for the Dutch government was released on February 29th that confirms the hacker’s findings, but asserts that systems will likely be secure for another two years since the attack is still costly from an equipment standpoint.
The hackers then published a paper demonstrating a way to crack the chip’s encryption technology. They present an attack that recovers secret keys within minutes on a typical desktop PC or within seconds on an FPGA.
Article: U.VA. researchers crack smartcard chips – Mifare Classic security proven weak
Steve Ragan – Security Editor at The Tech Herald held interview with research team.
An information security researcher and team at the Radboud University in Nijmegen built on the work of Karten Nohl and Henryk Plötz to demonstrate and confirm the attack. They notified the Dutch government, NPX (on March 9th – remember that date) and Parliament.
The Dutch interior affairs minister, Guusje ter Horst wrote in a letter to Parliament that she was preparing supplemental security measures for some government buildings as a result of the attacks.
Article: RFID-Hack Hits 1 Billion Digital Access Cards Worldwide
A warning is issued that some security access cards that use RFID technology are vulnerable to hack attacks.
PC World, March 12
Article: Dutch interior affairs minister says widely used security pass can be hacked
International Herald Tribune, March 12, 2005
On March 10th (hmmm…) NXP announced “MIFARE Plus, a revolutionary contactless smart card IC that offers breakthrough security and performance for the cost-sensitive automated fare collection (AFC) and access control markets. MIFARE Plus is the latest addition to NXP’s MIFARE portfolio, features multiple levels of security, including Advanced Encryption Standard (AES) encryption, and an easy migration path from existing MIFARE Classic implementations.”
NXP, which obviously did not mention the hacks in their press release, said that the MIFARE Plus will be available for pilots in the fourth quarter of 2008.
NXP Press release – http://www.nxp.com/news/content/file_1418.html
Article: Did NXP finally acknowledge security problems in their MIFARE chip?
Steve Ragan – Security Editor at The Tech Herald
In the week since the NXP MIFARE Plus announcement there has been more press then usual in the RFID community about theses hacks and the lack of security on the Mifare cards.
Article: NXP Announces New, More Secure Chip for Transport, Access Cards –
According to the company, the chip is backward-compatible with the less-secure MIFARE Classic chip, recently hacked by two research groups.
RFID Journal http://www.rfidjournal.com/article/articleview/3973/1/1/
NPX has also issued open letters to end users and to system integrators that discusses the “alleged security issues” and encourages end users to work with their system integrators to do a risk assessment of their system.
Open letter to integrators: http://www.mifare.net/security/integrator_information.asp
Open letter to users: http://www.mifare.net/security/enduser_information.asp
I’m curious as to how many end users completed a risk assessment before their system was implemented and if this series of events will encourage more firms to do so in the future.
Update – This March 2008 post is still generating lots of traffic from search engines from those people interested in Mifare hacks. You can find more recent posts about Mifare and other RFID related hacks in this blog under the Hacks category: http://www.securerf.com/RFID-Security-blog/?cat=28.