Did NXP finally acknowledge security problems in their Mifare chip?

by Steve Ragan - Mar 12 2008, 09:00

On Monday NXP Semiconductors said they plan to release a new version of the Mifare chip; the chip that has gained fame lately after its security was broken by researchers at U. VA. Dubbed the Mifare Plus, the new chip addresses the exact security problems that its predecessor the Mifare Classic faced. The new NXP offering is boasting 128-bit encryption over the original 48-bit. The thing that is missing is a thank-you to Nohl for working out the security flaws in the original Mifare.

Last week, I reported about the University students who cracked the encryption used in several common types of smartcard. I had the chance to hold a phone conversation and a brief email exchange with Karsten Nohl, who conducted the research with two others. (follow-up story here)

The results of the research concluded that the security on the Mifare classic chips, which are used in many micro-payment applications including the Oyster card, the CharlieCard, and the OV-Chipkaart, is flawed. Using nothing more powerful than the computer you are reading this article on, Karsten Nohl and his team cracked the algorithm used on the Mifare classic completely.

“As much as I criticize the security of some smart [cards], I strongly believe in the potential of RFID technology; in particular in improving security in many domains. The current set-backs are hopefully only part of a learning process from which better systems will arise,” Karsten said to The Tech Herald in his recent interview.

As it turns out, his words were spot on. NXP Semiconductors, based out of the Netherlands, announced Monday that there is a new version of the Mifare chip. This new version, called the Mifare Plus, improves the security of the original Mifare offering, “…breakthrough security and performance for the cost-sensitive automated fare collection.”

It is fitting that the marketing material and press release from NXP mention cost. The original Mifare sold for less than a single US Dollar. (Reported to be $0.50 per chip.)  The trade between security and cost is a common one. All too often companies will save on the bottom line, shorting security in the process. Take the CharlieCard used in Boston, this card uses the Mifare Classic, and is used to grant access to Boston’s transit system called T.

Currently, Boston is looking into using the CharlieCard to grant access to bank accounts in order to allow commuters to pay Mass Pike tolls and park in government owned areas. With so many people using the CharlieCard, naturally the cost had to be low for Boston to pick NXP as their vendor to supply the RFID technology. The problem is that with the low cost came proven low security. Boston, like any other company, would trust the vendor, and naturally pick the lowest solution available.

Nohl, agrees. “If the manufacturer assures you that even the cheapest alternative has proven secure for more than a decade and provides "advanced security levels" wouldn't you go with it? This is yet another reason why the security of these systems has to be evaluated independently.”

What happens is that the sales reps often meet with buyers who have no knowledge or need to ask about security beyond a simple “Is it secure?” Often security planning and policy are introduced after the product is already deployed.

For places like Boston, the new Mifare Plus could offer a solution to the problem of security after the purchase. “The backwards compatibility of MIFARE Plus allows for a seamless introduction of cards in existing MIFARE Classic implementations. After upgrading the system infrastructure, service operators can easily switch MIFARE Plus-powered cards in the field to a higher security level without the need to revoke or re-issue the cards.”

While this is a solution, will there be any rush to upgrade? The point here is that upgrading infrastructure costs money, re-issuing cards would cost money, and there is also the money spent to ensure that those with older cards are secure, and upgrade them first.

“Security is at the heart of MIFARE Plus, which is the only smart card IC of its class to offer strong AES encryption for authentication, integrity and confidentiality, based on a 128-bit key length,” NXP said. The original Mifare used a 48-bit key. So the upgrade does offer far better security.

“The Mifare Plus certainly has some nice features; privacy protection in particular. The operator of a system will still have to upgrade all readers and cards, though. The costs of this transition will not be any different from just switching to one of the already available high security cards right away. Mifare Plus will not be seen in the market for at least another year,” Nohl said.

Point in case is the Netherlands. They are currently in the middle of rolling out a new $3 billion national transit fare system that relies on the MiFare Classic chip to store fares to ride the subways and buses.

Shortly after Nohl’s group reported their research, the Dutch media sprang into action reporting on the vulnerability of the system's smart card. The reason for the fanatical reporting was that the Mifare Classic cards used for their transit system store fares and can even be linked, on request, to a customer's bank account.

With the security of such a costly system called into question, the Dutch government has convened several hearings. “The discussion in the Netherlands is far from over, but the outcome is already astonishing: politicians are calling for proprietary technology to be replaced by open designs (and open source software) and industry starts working closer with universities and "hackers" to make current and future systems more secure,” Nohl said when I asked about the outcome of the hearings.

Since special RFID card readers designed specifically to talk to the MiFare Classic are deployed in thousands of locations throughout the Netherland transit system, switching to a higher-security RFID chip, such as the Mifare Plus, is sure to costly.

The end result is that there is no coincidence that shortly after Karsten Nohl and his team reported their research, security on the Mifare line was boosted. What was not widely known to the general media and public is that Nohl was in contact with NXP sharing his research and findings. While NXP my never admit to it, this is one case of research in security actually doing good by triggering the creation of a stronger product.

The problem is that backwards compatibility or not, upgrading from the Mifare Classic to the Mifare Plus will be a big burden to some customers who are already deep in the investment cycle. It would be impressive is NXP offered some clients with large orders, like the Netherland transit system or Boston’s T Line, steep discounts on infrastructure upgrades.

NXP says the MIFARE Plus will be available for pilots in Q4 2008.

Around the Web