Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 31st, 2008

Billion RFID Access Cards Can Be Hacked

Two independent research teams have demonstrated hacks of the Mifare Classic RFID chip algorithm. The technology is used by transit operators in London, Boston, and the Netherlands. It is also used in access cards in numerous other organizations around the world. Dutch government has already issued a public warning about the security of access keys based on it. The minister of interior affairs, in a letter to parliament, wrote that there are plans for government institutions to take additional security measures to safeguard security.

NXP developed the Mifare Classic RFID (radio frequency identification) chip, which is used in 2 million Dutch building access passes. One billion passes with the technology have been distributed worldwide, making the security risk a global problem and it had not yet notified other countries.

The manufacturer, NXP Semiconductors, has quickly announced that there is a new version of the Mifare chip called the Mifare Plus with enhanced security 128-bit encryption over the original 48-bit. The strange thing about this is why wasn’t the Mifare Plus introduced earlier? It is unknown how much this enhanced card will eventually cost, but reports say that the original Mifare Classic sold for less than a single dollar. Hence, the low cost of the Mifare Classic might have been a factor here.

German researchers Karsten Nohl and Henryk Plötz have published a paper on how to crack the chip’s encryption and Bart Jacobs, an information security professor, have released the video which can be seen here. The video demonstrates how cryptography could be retrieved from readers attached to access control infrastructure or even sniffed simply by walking pass a Mifare RFID card holder. Duplicate cards are then cloned to gain unauthorized entry. What is really scary is the ease with which the attacks are successfully executed.

Share this item with others:

More on CyberInsecure:
  • RFID Smartcard Vulnerability Published, Allows Anyone To Crack It In Minutes Using Inexpensive Tools
  • Cheap RFID Sniffing And Cloning Device For Sale By Researcher
  • The Image Group Website Hacked Through SQL-Injection, Credit Cards Data Stolen
  • Credit Cards Data Stolen In 1st Source Bank Intrusion
  • Inexpensive Equipment Tricks GSM Mobile Phones And Intercepts Calls

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Billion RFID Access Cards Can Be Hacked

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.