Boffins (finally) publish hack for world's most popular smartcard

Mifare weakness official


Two research papers published Monday have finally made it official: The world's most widely deployed radio frequency identification (RFID) smartcard - used to control access to transportation systems, military installations, and other restricted areas - can be cracked in a matter of minutes using inexpensive tools.

One paper - published by researchers from Radboud University in Nijmegen, The Netherlands - describes in detail how to clone cards that use the Mifare Classic. The chip is used widely throughout the world, including in London's Oyster Card, Boston's Charlie Card, and briefly by a new Dutch transit card. Manufacturer NXP and the Dutch government had tried in vain to prevent the researchers from disclosing their findings, arguing that the findings would enable abuse of security systems that rely on the card.

In July, a Dutch judge rejected the request and gave the researchers the green light to publish their paper. It is titled Dismantling MIFARE Classic and was released at the European Symposium on Research in Computer Security (Esorics) 2008 security conference in Malaga, Spain.

It came the same day that Henryk Plötz, a PhD student at Humboldt University in Berlin, published a master thesis (PDF) that includes the full implementation of the algorithm used in the Mifare Classic. The two documents combined mean that virtually anyone with the time and determination can carry out the attacks, said Karsten Nohl, a PhD candidate at the University of Virginia and one of the cryptographers who first warned of the weakness in December.

"Now the weakness that we and others have been talking about for months can be verified independently by really anybody," he said. "The flip side is that everybody can now attack Mifare-based security systems."

Over the past six months, many organizations that rely on the Mifare Classic have upgraded their systems, but Nohl said he is personally aware of a "handful" of systems used by government agencies or large multinational companies that have been unable to make the necessary changes because of the logistical challenges of issuing new badges to employees.

"One hopes that just based on the announcement, most operators of critical security systems have adopted other technologies besides Mifare," Nohl said.

The Achilles Heel in the Mifare Classic is a proprietary encryption scheme dubbed Crypto1. It contains a flaw that causes it to produce outputs that are so cryptographically weak that attackers can guess the key in a matter of minutes. All that's required is an RFID reader, a modest-strength PC, and about 10 minutes. NXP has said it has sold about 2 billion Mifare Classic cards.

The Radboud researchers have already used the discovery to clone Oyster cards and adjust the amount of credit stored on the pre-pay card. Separate students at the Massachusetts Institute of Technology claim to have found gaping holes in the Charlie Card used to collect fares for the Boston subway.

NXP Semiconductor has downplayed the significance of the flaw, saying the card alone should not be relied on for secured access to buildings and other restricted areas. A more robust card made by the company, the Mifare Plus, can use the so-called Advanced Encryption Scheme (AES), a time-tested algorithm that is widely believed to be secure. ®

Broader topics


Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading

Biting the hand that feeds IT © 1998–2022