Mifare hacks and risk assessments

Contributed by Joanne C. Kelleher

When news initially hit that the Mifare Classic card was hacked by a University of Virginia graduate student Karsten Nohland and two German partners I wasn’t going to blog about it. I’ve covered several other RFID -related technologies which have been hacked. What usually happens is the community and/or the technology owner ignores the attack or says it doesn’t matter. Initially NXP Semiconductors, a Netherlands-based company which owns and licenses the Mifare line, did the same thing.

Article: Hackers claim RFID smart-card hack, but vendor disagrees
SC Magazine, March 05, 2008

But the follow up to this hack has been different. It has received international press from the RFID, computer and security industries and NXP has responded in a variety of way.

The Mifare Classic, an inexpensive access card which uses 48 bit security, is used by public transport systems such as London’s “Oyster” card and Boston’s “Charlie” card.

Initially, parts of Nohland’s findings were published at the Chaos Computer Camp hacker’s conference in Berlin last December. As the Mifare Classic is widely used to access buildings and is about to be launched as a common means of payment for all forms of public transport in The Netherlands, there was a lot of publicity and political discussion in that country. A report for the Dutch government was released on February 29th that confirms the hacker’s findings, but asserts that systems will likely be secure for another two years since the attack is still costly from an equipment standpoint.


The hackers then published a paper demonstrating a way to crack the chip’s encryption technology. They present an attack that recovers secret keys within minutes on a typical desktop PC or within seconds on an FPGA.


Article: U.VA. researchers crack smartcard chips – Mifare Classic security proven weak
Steve Ragan – Security Editor at The Tech Herald held interview with research team.

An information security researcher and team at the Radboud University in Nijmegen built on the work of Karten Nohl and Henryk Plötz to demonstrate and confirm the attack. They notified the Dutch government, NPX (on March 9th – remember that date) and Parliament.

Press release
Demo (with English subtitles)

The Dutch interior affairs minister, Guusje ter Horst wrote in a letter to Parliament that she was preparing supplemental security measures for some government buildings as a result of the attacks.

Article: RFID-Hack Hits 1 Billion Digital Access Cards Worldwide
A warning is issued that some security access cards that use RFID technology are vulnerable to hack attacks.
PC World, March 12,143371-c,privacysecurity/article.html

Article: Dutch interior affairs minister says widely used security pass can be hacked
International Herald Tribune, March 12, 2005

On March 10th (hmmm…) NXP announced “MIFARE Plus, a revolutionary contactless smart card IC that offers breakthrough security and performance for the cost-sensitive automated fare collection (AFC) and access control markets. MIFARE Plus is the latest addition to NXP’s MIFARE portfolio, features multiple levels of security, including Advanced Encryption Standard (AES) encryption, and an easy migration path from existing MIFARE Classic implementations.”

NXP, which obviously did not mention the hacks in their press release, said that the MIFARE Plus will be available for pilots in the fourth quarter of 2008.

NXP Press release –

Article: Did NXP finally acknowledge security problems in their MIFARE chip?
Steve Ragan – Security Editor at The Tech Herald

In the week since the NXP MIFARE Plus announcement there has been more press then usual in the RFID community about theses hacks and the lack of security on the Mifare cards.

Article: NXP Announces New, More Secure Chip for Transport, Access Cards –
According to the company, the chip is backward-compatible with the less-secure MIFARE Classic chip, recently hacked by two research groups.
RFID Journal

NPX has also issued open letters to end users and to system integrators that discusses the “alleged security issues” and encourages end users to work with their system integrators to do a risk assessment of their system.

Open letter to integrators:
Open letter to users:

I’m curious as to how many end users completed a risk assessment before their system was implemented and if this series of events will encourage more firms to do so in the future.

Update – This March 2008 post is still generating lots of traffic from search engines from those people interested in Mifare hacks.  You can find more recent posts about Mifare and other RFID related hacks in this blog under the Hacks category:

Posted in Cryptography, Hacks, RFID, RFID Tag, RFID Technology, Security
3 comments on “Mifare hacks and risk assessments
  1. olesmartie says:

    The security issues with the mifare Classic card were known 13 years ago, but many system designers and system operators chose to ignore them or didn’t implement proper security assessments before using the cards.
    The DESFire card chip, also made by NXP, is much better and easier to use, has far higher security at a fractionally higher cost, and has been available for a few years.
    Many folks are saying that the risk to transit systems is insignificant since the system will monitor and report card fraud. But in fact few transit systems have adequate card fraud reporting and most of them cannot hotlist out large quantities of suspected cards. So wholesale card fraud has the potential to bring these systems to their knees.
    Also there is the public perception issue, which also may force the removal of these cards.
    This is a BIG issue, as many transit systems worldwide use the mifare Classic card, and its cost of removal and replacement, plus system re-engineering and the logistics of card replacement, won’t come cheap. But I believe that eventually they have no choice but to replace all their cards.

  2. icarus1337 says:


    I quote the following line from the press release you are linking to:

    It is a reaction to the german hackers.
    “Their approach is completely different from ours, as we only exploited weaknesses of the protocol and did not look looking at the hardware

    This does not confirm any attack of the Germans, only their own attack right?

  3. RFID Labels says:

    thanks for this informational post, all above provided articles and pdf as very useful for my research.

    Hope to hear from you more.

6 Pings/Trackbacks for "Mifare hacks and risk assessments"
  1. […] credit cards. Unlike the Mifare story which has received lots of international attention (see, so far this story had only been picked up by a few technology blogs. Maybe it is old news just […]

  2. […] from the security community and NXP Semiconductors, see “Mifare Hacks And Risk Assessments” –  Research related to this hack […]

  3. […] NXP Semiconductors took researchers at Radboud University in Nijmegen to court in an attempt to stop them publishing their controversial report on the security aspects of the Mifare Classic chip. Over one billion of MiFare Classic chips are used worldwide, including in many access control keys, governmental security systems and transportation or subway passes cards such as London’s Oyster card, Boston’s CharlieCard, and the planned OV-Chipkaart in Netherlands. NXP spokesperson Martijn van der Linden told Dutch news site Webwereld that publishing the report is ‘irresponsible’. Details about the Mifare hack are at and […]

  4. […] Last spring an information security researcher and team at the Radboud University in Nijmegen built on the work of Karten Nohl and Henryk Plötz to demonstrate and confirm a hack against NXP’s Mifare Classic. On March 10, 2008, just days after the Dutch government, NPX and Parliament were notified of the attack, NXP announced “MIFARE Plus, a revolutionary contactless smart card IC that offers breakthrough security and performance for the cost-sensitive automated fare collection (AFC) and access control markets.” See Mifare Hacks And Risk Assessments at […]

  5. […] RFID Bill Passes in California FTC’s RFID Workshop on Consumer Privacy and Data Security Media Reactions: RFID Kills but Cell Phones Don’t? Secure RFID For Drug E-pedigree Safeguarding America’s Pharmaceuticals Mifare hacks and risk assessments […]

Leave a Reply

Your email address will not be published. Required fields are marked *