RFID encryption flawed in smart cards, researchers claim

Experts knew chips were crackable, but didnt know it could be done so cheaply

New research showing that smart cards with encrypted RFID chips might not be as secure as previously thought is raising concerns in Boston, where the subway CharlieCards use just such technology. The research raises the specter of thieves with US$1,000 worth of equipment cracking smart-card encryption and making counterfeit cards to do everything from swipe fares to gain access to high-security areas.

Although University of Virginia student Karsen Nohl and colleagues revealed their findings in December at a conference, a couple of Boston-area media outlets (the Boston Herald and Boston Globe) picked up on the story this week, breathing new life into it. The MBTA, the outfit running the Boston subway system, declined to discuss its security technologies with the Boston newspapers.

The particular RFID chip in question -- the Mifare Classic, of which a billion-plus have been sold -- is made by Philips spinoff NXP Semiconductors, which has been quoted widely saying that only a portion of the cryptographic algorithm has been obtained by the researchers (the researchers have not disclosed their method fully, in an effort to keep those with bad intentions from copying them). Security experts have known all along that such chips, which generally cost less than a dollar, were crackable, but didn't realize it could be so economically feasible.

"People have and will, as we have, taken security expertise from the world of computers and applied it to RFIDs, whose designers had been operating under the assumption that their world was apart from such scrutiny," Nohl said in a statement.

Nohl and colleagues were able to listen to data broadcast by the chips using readily available RFID readers; they then dissected the layers of the chip via custom optical-recognition software to deduce the algorithm and encryption keys.

A video of the researchers' presentation, called "Mifare: Little Security, Despite Obscurity," is available on Nohl's Web page.

On his Web page at the University of Virginia, Nohl humorously reassures that he and his colleagues have not found a way to crack credit-card security: "Please note that we have not compromised the security of credit cards, as some of the articles suggest. From what we can see, RFID-enabled credit cards have no security (yet?), and hence there is nothing to compromise."

Various sorts of encryption have been under the scrutiny of researchers of late, with Princeton University and cohorts recently showing a way to crack disk encryption.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Network World staff

Network World

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?