RFID hack could crack open 2 billion smart cards

Analyst: One European government sent armed guards to protect facilities using the card

A student at the University of Virginia in the US has discovered a way to break through the encryption code of RFID chips used in up to 2 billion smart cards used to open doors and board public transportation systems.

Karsten Nohl, a graduate student working with two researchers based in Germany, said the problem lies in what he calls weak encryption in the Mifare Classic, an RFID chip manufactured by NXP Semiconductors. Now that he's broken the encryption, Nohl said he would only need a laptop, a scanner and a few minutes to get the cryptographic key to an RFID door lock and create a duplicate card to open it at will.

And that, according to Ken van Wyk, principal consultant with KRvW Associates, is a big security problem for users of the technology.

"It turns out it's a pretty huge deal," said van Wyk. "There are a lot of these things floating around out there. Using it for building locks is the biggy, especially when it's used in sensitive government facilities -- and I know for a fact it's being used in sensitive government facilities."

Van Wyk told Computerworld that one European country has deployed military soldiers to guard some government facilities that use the Mifare Classic chip in their smart door key cards. "Deploying guards to facilities like that is not done lightly," he added. "They recognize that they have a huge exposure. Deploying guards is expensive. They're not doing it because it's fun. They're safeguarding their systems." He declined to identify the European country.

Manuel Albers, a spokesman for NXP Semiconductors, said the company has confirmed some of Nohl's findings. However, he added there are no plans to take the popular chip off the market.

"The Mifare chip was first introduced in 1994. At the time, the security level was very high," he said in an interview. "The 48-bit key lengths for encryption was state of the art."

Albers added that the company has other, more secure, chips in its product portfolio these days, but the pp=v=d,t=pfp,i=41863,fi=,ps=00 is a relatively inexpensive, entry-level chip. Anyone needing a highly secure smart card, should make sure there's layered security and not just depend on the chip's encryption, he said.

"We have to start this discussion, really, at the level where we differentiate between the security level the chip provides and the additional security features an entire card provides. You're dealing with a layered security system, like strands to a rope," said Albers, noting that between 1 billion and 2 billion smart cards with this MiFare Classic-type chips have been sold. "As long as there's demand for this product [and] system integrators saying this product is good enough for their platforms, we will continue to offer it."

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sharon Gaudin

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?