U.VA. researchers crack smartcard chips – Mifare Classic security proven weakby Steve Ragan - Mar 12 2008, 13:00
Last week, I reported about the University students who cracked the encryption used in several common types of smartcard. I had the chance to hold a phone conversation and a brief email exchange with Karsten Nohl recently. This is a follow-up to that article, offering better information, as well as final confirmation; the Mifare from NXP is cracked.
Last week, I reported about the University students who cracked the encryption used in several common types of smartcard. I had the chance to hold a phone conversation and a brief email exchange with Karsten Nohl, who conducted the research with two others. This is a follow-up to that article, offering better information, as well as final confirmation; the Mifare from NXP is cracked.
The cards that use the Mifare Classic chip are a common sight in the U.S., some examples include subway passes or door badges. The results of the code being decrypted means attackers can clone them, and use the cloned cards for nefarious means.
Karsten Nohl, age 26, and his two German partners dismantled the Mifare chip found inside the smartcards, and mapped out the security algorithm. They ran the formula through a computer program and broke the encryption after a few hours.
"I don't want to help attackers, but I want to inform people about the vulnerabilities of these cards," said Nohl, a Ph.D. candidate in computer engineering to the Associated Press.
The story starts long before you read about it last week. So what captured Karsten’s attention? “RFIDs fascinate me for the challenges they bring about; in particular for security. Optimally, RFIDs would be as secure as alternative ways of authentication, also resistant against new attacks that are specific to wireless technologies, and finally cheap enough to secure low-value items. This obvious contradiction and the trade-offs it requires is what fascinates me,” he said in his interview.
“Our group got started on Mifare when we wanted to know how well the millions of its users are protected. Personally, I also draw motivation from Mifare's weaknesses for my research in which I try to build stronger cryptography and first had to show that stronger crypto is indeed needed,” he added.
In fact, long before the American press caught wind of the story, the research team from U. VA. had already gained press attention in the Netherlands, where there was an investigation into their research.
The Mifare Classic chip is developed and sold by NXP Semiconductors, based out of the Netherlands. NXP has disputed the claims, calling the Mifare secure as only one layer of security was potentially cracked, and that only part of the algorithm was recovered.
“I am not exactly following NXP's rhetoric in this point. They have different products, many of which are very secure. The security of the particular card we analyzed, however, relies entirely on its cryptography which we found to be weak,” Nohl said when asked about NXP’s claim to multi layers of security and the claim that only part of the algorithm was recovered.
Another defense that has been offered allegedly by NXP and directly by a Dutch government investigation, is that it would be difficult and expensive to replicate Nohl’s research.
“The Mifare stream cipher is simple and its key is short. This alone should tell anybody that secret keys can be found cheaply. To finally end the discussion about how cheaply exactly, we made public a new attack on the cipher today that exploits its weak structure. Bottom-line: The computer you are reading this e-mail on can find secret keys in at most an hour,” Nohl told The Tech Herald in his interview.
However, once and for all, was the Mifare cracked, and a complete algorithm obtained? “We have the complete cryptographic algorithm,” Nohl said.
It is important to note that the Mifare is only one chip that NXP sells. Nohl himself says that there is no doubt the other two NXP chips are likely very secure. The problem is that this chip is on the low end of the price scale, thus it is an attractive item for companies who want security and want to keep costs down.
The trade between security and cost is a common one. All too often companies will save on the bottom line, shorting security in the process. Take the CharlieCard used in Boston, this card uses the Mifare Classic, and is used to grant access to Boston’s transit system called T. Currently, Boston is looking into using the CharlieCard to grant access to bank accounts in order to allow commuters to pay Mass Pike tolls and park in government owned areas.
With so many people using the CharlieCard, naturally the cost had to be low for Boston to pick NXP as their vendor to supply the RFID technology. The problem is that with the low cost came proven low security. Boston, like any other company, would trust the vendor, and naturally pick the lowest solution available.
Nohl, agrees. “If the manufacturer assures you that even the cheapest alternative has proven secure for more than a decade and provides "advanced security levels" wouldn't you go with it? This is yet another reason why the security of these systems has to be evaluated independently.”
What happens is that the sales reps often meet with buyers who have no knowledge or need to ask about security beyond a simple “Is it secure?” Often security planning and policy are introduced after the product is already deployed.
Some of the early reports state that the Mifare is used in credit cards, I asked Karsten if this was accurate, and if the media has reported his work fairly. “For the most part, the coverage was accurate, the only exception being the connection between our work and credit cards. We haven't compromised anything about credit cards as there is nothing to compromise,” he said.
So while credit cards might be simple to copy, serious crime using the copies obtained with RFID cracking would be difficult. “Systems in which the cards are used might still have other layers of security that potentially mitigate attacks. Credit cards are an example where the cards can easily be copied but fraud is often detected in the backend system.”
So what does this research mean? The research shows that a chip that is over twenty years old is not as secure today as it was when it was introduced. The research shows that there is a potential for abuse and risk to the owners of cards who use this technology. It shows that NXP has stronger encryption available, but instead chooses to sell Mifare anyway.
In a worst case scenario, speaking from the worst possible point of security, it could be possible to use this research to break security at power plants and other moderately secured areas. National security is not at risk, but that does not mean that the cloning of keycards, to gain illegal access to facilities protected by card access alone, is out of line.
RFID has always been seen as a privacy risk at the least. However, the scare is, these cards are being linked to financial businesses. So this means that fraud and other crimes will run wild, right? False, this is a myth. Is the potential there? Yes it is, but for the most part, financial institutions have very stable and strong methods of security. Will the financial sector use stronger encryption if the use of pay cards prevails?
“The financial sector is very inconsistent in that respect. Bank cards in Europe have, with few exceptions, always been built around strong cryptography. Credit cards that are particularly popular in the States, on the other hand, were notoriously easy to copy and this trend seems to continue for RFID-enabled credit cards,” Nohl says. “The better cryptography that is underway for credit cards will not change this in terms of privacy but rather improve the protection against financial fraud.”
Disclosure: NXP, in response to communications from Nohl and review of his research, announced on Monday they are releasing a new version of the Mifare chip. Part two of this story will cover that release. This announcement came after this story was in the process of being written.