Security

Up to one billion RFID access cards could be affected by hack

The Dutch government has issued a public warning about the security of access cards based on the Mifare Classic RFID chip.

On the heels of two independent research teams demonstrating hacks of the Mifare Classic RFID chip algorithm, the Dutch government has issued a public warning about the security of access keys based on it. The minister of interior affairs, in a letter to parliament, wrote that there are plans for government institutions to take "additional security measures to safeguard security."

It is no laughing matter, as the technology is used by transit operators in London, Boston, and the Netherlands. It is also used in access cards in numerous other organizations around the world.

Excerpt from PC World:

NXP developed the Mifare Classic RFID (radio frequency identification) chip, which is used in 2 million Dutch building access passes, said ter Horst. One billion passes with the technology have been distributed worldwide, making the security risk a global problem. A spokesperson for the ministry told Webwereld, an IDG affiliate, that it had not yet notified other countries.

  • German researchers Karsten Nohl and Henryk Plötz have published a paper on how to crack the chip's encryption (pdf)
  • Bart Jacobs, an information security professor, have released the video which I have embedded above.

The video demonstrates how cryptography could be retrieved from readers attached to access control infrastructure or even sniffed simply by walking pass a Mifare RFID card holder. Duplicate cards are then cloned to gain unauthorized entry. What is really scary is the ease with which the attacks are successfully executed.

The interesting thing here is that manufacturer, NXP Semiconductors, has quickly announced that there is a new version of the Mifare chip called the Mifare Plus with enhanced security -- 128-bit encryption over the original 48-bit, to be exact.

The pertinent question here is why wasn't the Mifare Plus introduced earlier? Now, it is not known how much this enhanced card will eventually cost, but reports say that the original Mifare Classic sold for less than a single dollar. Hence, the low cost of the Mifare Classic might have been a factor here.

Then again, will 128-bit encryption be secure another 10 years from today? Is it even reasonable to ask for security that cannot be breached?

Additional reading:

--------------------------------------------------------------------------------

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

14 comments
JayAyY
JayAyY

A single factor security system based simply on something you have (a card in this case) is inherently not very secure. Add a second or third factor - something you know (pin code) or something you are (biometric) and things get better - but still not 100%. Simple door entry systems are just that, simple and convinient with the slightest nod to security. Add a second factor to a door entry system and watch the queues build up. Whatever the system in place it must be appropriate to the percieved risks - as the perception (and reality) of the risks change, so should the security system.

normhaga
normhaga

The RFID attack is not so bad. If you read the follow up links at the bottom of the page and followed some of those you would have come up with an even more scary article, in particular: http://www.cs.virginia.edu/~kn5f/Mifare.Cryptanalysis.htm While I am not a big fan of heuristics, I do believe that they do have their uses. In the case of the above article heuristics were used to crack the algorithm. With a little tuning, you could probably crack all 48 bits and with a little effort and parallel programming you could extend the algorithm to 128 bits. I don't currently have an idea as to how long this would take, just that it could be done. The cryptanalysis article gave enough information that a decent coder could write the algorithm without a lot of difficulty. You hold X number of bits constant and look for a statistical bias of the other bits then use that bias while holding other bits constant to determine the bits you do not know.

seanferd
seanferd

priceless edited for ???

swdswan
swdswan

In the video there were two failures. The first was in how RFID technology was used. The second is poor security practices. RFID systems are being developed to an almost audible theme that "they can fix anything". This is nonsense. Where there are good business processes RFID systems can automate many processes and increase efficiency. The 2nd issue is security. Many people want security to be simple, fast and effective. Security is inherently about putting the checks and balances in place to ensure that the right person, and only that person has the 'security key'. The failure here is not in the RFID System, but in its very sloppy application. S.W. David Swan CD Chief Technical Officer DBiTS DataBase Information Technology Services Inc

Neon Samurai
Neon Samurai

Up to one billion RFID access cards could be affected by vulnerability Up to one billion RFID access cards could be affected by exploit Up to one billion RFID access cards could be affected by poor RFID security Granted, it was and as it usually is, Hackers who discovered the vulnerability and published it too try and protect RFID users and improve the technology while pointing out the lovely quality of the emperor???s new cloths. :) A great article in content though. Thank you for publicizing this issue and providing video documentation of it.

paulmah
paulmah

Then again, will 128-bit encryption be secure another 10 years from today? Is it even reasonable to ask for security that cannot be breached?

Neon Samurai
Neon Samurai

I'm not sure of the vulnerability effects all or only a selection of RFID. In both those cases, the vendor's affected would have to change there design to increase the security of the chip stored information. The example case was access to a building so one easy solution is to include a a portrait photo of the card holder and have security pay attention to the door. If your face does not match the profile bound to your ID then there's a problem. With face recognition software, this becomes even more scary though hardware implementable. Of course, then some genious would figure out how to clone the RFID card and gain entry to the profile database. The number of usable clones would be limited to one and the rightful owner would find out the next time they went through a door.

Oz_Media
Oz_Media

Actually RFID systems and the sellers of these systems are constantly faced with teachign people that is NOT the intent of RFID. Being fully trained in RFID myself, I have yet to see soemoen use such pathetic encryption standards. They are also NOT designed for security use, but have been adopted for such use, by some people. RFID was designed as a solution to supply chain management problems. The entire intent is to track goods from teh manufacturer right through to the retail sale process, it increases supply chain management abilities/effectiveness. When I was working F/T in the field, I trained several companies on the correct applications and what RFID was REALLY for. There are less than 50 people in North America that are fully qualified to implement a system outside that area, a lot less than 50 actually. Yet there are thousands who sell the technology, without certification though, as it is not required as a prerequisite yet. I remember customers all over the world coming to me with new ideas on how THEY could use RFID too, as it was just a buzz at the time. In most cases, I asked them to stick with EKC's for security or simple barcoding for tracking. Unless they have the time and money to hire the right engineers, this technology will be botched, as we see in the case here. RFID CAN be used for low level security, ie: Gym memberships, country club locker room access for preferred members etc. To use it in a scenario as this is just terrible implementation that must have been put in place by an overzealous RFID wannabe who simply looked at $$$ and ignored the improper, premature use of the technology.

seanferd
seanferd

What were they thinking? They should have started with 128-bit minimum. Now I'm curious to know what kind of encryption it is. Hopefully, something stronger for the new "plus" version.

donengene
donengene

No it is not reasonable, but there has to be a goal in mind to make any progress. If you look at it, paper labels, reciepts and documents have always been forged. I would imagine that RFID is less suceptible to to fraud or product theft than paper labels and reciepts due to the education level of the person hacking. they won't get away with much without someone noticing it either, most RFID are used for product inventory. I'm sure a store manager would notice if all of a suden a crate from the store went missing. One item, well RFID is not supposed to replace security. We still need people roaming the halls and at night looking to find people stealing stuff. RFID is only there to make things simpler. Where it gets sticky is when RFID tags have your personal information, such as some national identification cards in europe. That is uterly rediculous to use RFID with personal information since it can be hacked so easily. If when 128bit was developed they thought it would take 20 years to break the encryption, they never meet mores law. Now with 8 core computers it would probably only take a dedicated programmer a month to create a program to break it repeatedly. Lesson should be don't use RFID for personal information, becase there will always be someone willing to try and hack it to get your info. RFID should also have a read only switch, so that it would physicaly have to be opened in order to write to it. I can see people changing the proces on items at KHOLS that use RFID just to get a 50% discout or free because it didn't match the shelf price. That is another danger but one that can be avoided if store security do thier job.

Timbo Zimbabwe
Timbo Zimbabwe

"Is it even reasonable to ask for security that cannot be breached?" No. Smarter mice will always force us to build better mousetraps. I personally do not believe in an impenetrable system. The trick is to make it so hard to access, hack or crack that it isn't worth the time or effort to try.

Neon Samurai
Neon Samurai

Security is not a noun with a factual basis and set level of meaning. It's a subjective term requiring an adverb; "higher security", "improved security", ?more secure?. It can?t be explained as ?is secure?. So many people want the idea of security to be a fixed value noun as if saying "it's secure" makes something so. It's not a fixed value; it's a metric of measurement on a scale that is constantly changing with each new technology and discovery of administrator, developer and manufacturer error. Damn do I love the ongoing puzzle that is information security; 1001 jigsaw pieces and you can only ever find 999 of the things on the table at one time.

owner
owner

One of the thing I ran into a lot when I did tech support for wireless devices what the idea that just because you are using any form of security, peope are lulled into the sense that they are safe and don't realize that there is no such thing as unbreakable security. Security at it's best only makes it more challenging and time consuming for a would be hacker and that the point, as Timbo stated, was to make so that it just not worth his or her time to hack into the system. That is at it's best. Security is often defeated by the user in using poor security methods like weak passwords. There will never be unbreachable security. As we come up with stronger and stronger encryption methods, hackers and crackers will come up with more powerful ways to break the encryption.

Editor's Picks