By Brian McNeill
MEDIA GENERAL NEWS SERVICE
March 09, 2008
A University of Virginia graduate student and two fellow hackers say
they have cracked the encryption code used to protect millions of
wireless "smartcards" in use across the globe.
With readily available equipment that cost under $1,000, Karsten Nohl,
26, and his two Germany-based partners say they dismantled a tiny chip
found inside many smartcards and mapped out its secret security
With the cryptographic formula in hand, the hackers were then able to
run it through a computer program that tried out every possible key. It
broke the encryption after a few hours. If they were to try again, Nohl
said, it would take a matter of minutes.
"I don't want to help attackers, but I want to inform people about the
vulnerabilities of these cards," said Nohl, a doctoral candidate in
computer engineering at U.Va. who is originally from Germany.
Wireless chips, which employ technology known as radio-frequency
identification, or RFID, are found inside most modern credit cards, car
keys, security keycards and subway passes. The chips send an encoded
numeric signal to the reading device, which allows the user to wave
their card to gain access to secure buildings, remotely unlock a car,
pay for public transportation and much more.
The popular chip that the trio "dissected" is called the MiFare Classic
RFID chip and is manufactured by NXP Semiconductors, a Netherlands-based
Nohl and his colleagues found that it was fairly easy to crack the RFID
The three computer whizzes announced their findings at the Chaos
Communications Congress in Berlin, an annual worldwide convention of
hackers. They are not releasing the details of how they beat the chip's
security code. But, Nohl added, it is possible that criminals might also
have done so.
Manuel Albers, director of regional marketing for North and South
America for NXP, disputed that Nohl and his compatriots breached the
chip's security, as they obtained only a portion of the cryptographic
algorithm. In fact, he said, the company's chips have multiple layers of
security and are not in danger of being totally compromised.
The company has been in contact with Nohl and his team and is reviewing
their findings, he said.
"We constantly improve and review our products to make sure it's up to
snuff with the latest security threats," he said.
Moreover, Albers said, NXP manufactures chips with a range of security
levels from zero to substantial protection. The chip examined by Nohl
was a relatively simple version with little security, he said.
In a statement, NXP added that the MiFare Classic "is not used in
banking, payment, nor automotive security applications anywhere in the
world. The MiFare Classic is predominately used in automatic fare
collection applications and access control applications."
Projects such as hacking the security code of an RFID chip are the "evil
twin" of Nohl's regular research, he said, which focuses on the
development of cryptographic algorithms for computer security. Nohl's
faculty advisor, David Evans, an associate professor in U.Va.'s School
of Engineering and Applied Science, said in a statement that exposing
security flaws through hacking helps ensure that future products are
Hacking, Nohl said, refers to the practice of investigating the internal
processes of computing technology. It is often mistaken for "cracking,"
he said, which means to break into computer processes for fun, vandalism
Nohl said that a more secure option for RFID security codes would be to
rely on publicly known and time-tested security algorithms. NXP's secret
code, he said, is an example of "security by obscurity," or the practice
of keeping the code private and hoping hackers do not figure it out.
Private algorithms, Nohl said, are more likely to have flaws and
"We found significant vulnerabilities in their algorithm," he said. "By
keeping it secret, they hurt themselves in the end." Brian McNeill
writes for The Daily Progress in Charlottesville.
Subscribe to InfoSec News