Albers noted that NXP recently released Mifare Plus, which is backwards compatible with the Mifare Classic while offering better security. He said the company did not release the updated chip because of Nohl's findings but they did use some of his information when designing it.

"The problem is the card and the card reader," said Nohl. "They speak the same cryptography language that is flawed. Both need to be replaced. There is a lot of infrastructure to be replaced. The encryption is not standard. It's weak. It uses two short keys."

While Albers said "the majority" of the smart cards with this chip are used as bus or subway cards, both van Wyke and Nohl said the real problem lies in the cards that are used as door locks.

"I don't think people want to steal other people's bus tickets," said Nohl. "But think about chemical waste storage buildings or military facilities. The stakes are a lot higher. If you break in, you don't get a US$2 bus ticket but [you get] whatever is in that warehouse. These cards are used around the world to secure high-level buildings. All these applications will suffer as soon as somebody with criminal intent finds the details that we have."

Nohl explained that since the Mifare Classic smart cards use a radio chip, he can easily scan them for information. If someone came out of a building, carrying a smart card door key, he could walk past them with a laptop and scanner in a backpack or bag and scan their card. He also could walk past the door and scan for data from the reader.

Once he's captured information from a smart card and the card reader on the door, he would have enough information to find the cryptographic key and duplicate a smart card with the necessary encryption information to open the door.

How long would it take him to capture the necessary information? About two minutes, he said.

Van Wyk thinks Nohl might be humble in his estimate. "He says it would take him two minutes to crack it? Two minutes? I'd like to know what he did with the other minute and 55 seconds," he said. "It is so easy to crack most of that stuff? I don't think it's general to RFID, but there are a lot of RFID implementations that haven't done this very well. You could do RFID well, but it turns out that not many vendors are."