Hacker trio finds a way to crack popular smartcard in minutes

Hacker trio finds a way to crack popular smartcard in minutes
Hacker trio finds a way to crack popular smartcard in minutes 

By John Cox
Network World 

People are starting to wake up to the fact that RFID-enabled smartcards 
now can be far more easily, and cheaply, cracked than ever before, as a 
trio of young computer experts recently showed.

These are a particular type of processor-embedded cards, and are 
different from credit cards. The actual decryption work by the 
researchers was done on the widely deployed Mifare Classic wireless 
smartcard, now manufactured by a Philips spinoff, NXP Semiconductors. 
Decrypted, the cards can be counterfeited, and users' personal and bank 
data is exposed.

That card is the basis of such new systems as the Dutch OV-Chipkaart, 
being rolled out in The Netherlands as part of a multi-billion dollar 
nationwide transportation ticketing system, and the so-called 
CharlieCard, used in the Boston subway system. The decryption breach 
triggered a firestorm of controversy, and Dutch authorities apparently 
have halted the rollout and are investigating the vulnerabilities.

The card can be used in debit/credit transactions with the user's bank 
account. This personal and important data is encrypted on the Mifare 
Classic with a proprietary encryption scheme.

The newest attack was demonstrated at the 24th Congress of the Chaos 
Computer Club in Berlin last December. Interest in the study has been 
spreading steadily from the arcane world of security hackers. One of the 
researchers is Karsten Nohl, a graduate student in the University of 
Virginia's Computer Science Department, in Charlottesville, the other 
two are Henryk Plotz and "Starbug." The trio apparently demonstrated a 
practical and effective way to break the Mifare encryption key, 
confirming what many cryptographers had suspected.

The team used an inexpensive RFID reader to collect encrypted data, and 
then reverse-engineered the chip to figure out the encryption key to 
decipher that data. They examined the chip under an optical microscope 
and used micro-polishing sandpaper to remove a few microns of the 
surface at time, photographing each of the five layers of circuitry. 
Nohl wrote his own optical recognition software to refine and clarify 
the images, and then patiently worked through the arrangement of the 
logic gates to deduce the encryption algorithm, a task made possible by 
the fact that the Mifare Classic relies on a secret key of no more than 
48 bits.

"Regardless of the cryptographic strength of the cipher, the small key 
space therefore permits counterfeiting of any card that is read 
wirelessly," the team wrote in a follow-up statement issued on Jan. 8. 
"Knowing the details of the cipher would permit anyone to try all 
possible keys in a matter of days," the researchers noted. "Given basic 
knowledge of cryptographic trade-offs and sufficient storage, the secret 
keys of cards can be found in a matter of minutes."

The Dutch transit system actually uses two other types of tickets or 
cards, and both have been successfully attacked by other researchers.

Nohl and his colleagues noted that other types of Phillips RFID tags, 
such as the Hitag2+ and Mifare DESfire, are not affected by their 

RFID security concerns have become pronounced over the past year or so, 
as hackers and researchers make more concerted efforts to understand the 
vulnerabilities. In mid-2007, one team used readily available RFID gear 
to read the Electronic Product Code data on tagged boxes loaded on a 
tractor-trailer. A year earlier, another group raised the specter that 
RFID tags could be infected with computer viruses.

All contents copyright 1995-2008 Network World, Inc

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods