Billion RFID Access Cards Can Be Hacked
Two independent research teams have demonstrated hacks of the Mifare Classic RFID chip algorithm. The technology is used by transit operators in London, Boston, and the Netherlands. It is also used in access cards in numerous other organizations around the world. Dutch government has already issued a public warning about the security of access keys based on it. The minister of interior affairs, in a letter to parliament, wrote that there are plans for government institutions to take additional security measures to safeguard security.
NXP developed the Mifare Classic RFID (radio frequency identification) chip, which is used in 2 million Dutch building access passes. One billion passes with the technology have been distributed worldwide, making the security risk a global problem and it had not yet notified other countries.
The manufacturer, NXP Semiconductors, has quickly announced that there is a new version of the Mifare chip called the Mifare Plus with enhanced security 128-bit encryption over the original 48-bit. The strange thing about this is why wasn’t the Mifare Plus introduced earlier? It is unknown how much this enhanced card will eventually cost, but reports say that the original Mifare Classic sold for less than a single dollar. Hence, the low cost of the Mifare Classic might have been a factor here.
German researchers Karsten Nohl and Henryk Plötz have published a paper on how to crack the chip’s encryption and Bart Jacobs, an information security professor, have released the video which can be seen here. The video demonstrates how cryptography could be retrieved from readers attached to access control infrastructure or even sniffed simply by walking pass a Mifare RFID card holder. Duplicate cards are then cloned to gain unauthorized entry. What is really scary is the ease with which the attacks are successfully executed.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.