German Researchers Crack Mifare RFID Encryption 44
jfruhlinger writes "The long-running security battle has seesawed against RFID cards, as German researchers revealed a way to clone one type of card currently used for a variety of purposes, from transit fares to opening doors in NASA facilities."
According to the article, "NXP Semiconductors, which owns Mifare, put out an alert to customers warning that the security had been cracked on its MIFARE DESFire (MF3ICD40) smartcard but saying that model would be discontinued by the end of the year and encouraging customers to upgrade to the EV1 version of the card." This response may sound familiar.
RFID cracked? Shocking! (Score:5, Informative)
But seriously, RFID isn't secure against dedicated attackers. The fact that this vulnerability was known way back when the cards were first made leads me to suspect that they didn't create protection against it then so that they could sell their newer cards now, and save a few bucks at the time. Conveniently, the newer cards are even backwards compatible. Cynical? Maybe, but after recent compromises in the security industry (Sony, DigiNotar), nothing would surprise me. Least of all a company selling a defective-by-design security card to make some extra money.
Re:RFID cracked? Shocking! (Score:5, Interesting)
Or they had a working solution and wanted to get something out the door to start making money. If creating a new solution only took a month, that's money in the eyes of business leaders that they would not be making. So they make the decision to sell now, then fix the problem later. Plus, as you said, it leads to upgrades.
With something like the security of RFID cards, I would think that shipping with a possible security hole would be a pretty big deal. But its hard to say why the would make such a decision (or how aware of the possibility of it being cracked).
Re:RFID cracked? Shocking! (Score:4, Insightful)
I think selling cards that aren't resistant to side channel attacks like this is a perfectly reasonable decision. Lots of hardware is vulnerable to this kind of ultra-intensive probing (eg, the Xbox).
Like anything in engineering, these cards boil down to a cost/benefit analysis. If you use these cards in your canteen, how likely are you to go up against a team of people who spend months doing blackbox analysis of the cards? If that isn't likely, it makes sense to save money.
I am not even sure this counts as a "crack". Unless the German team release absolutely everything, the basic analysis would have to be repeated by whoever wants to recreate the attack. If you have that much money and expertise, there are probably easier ways into a secure facility than hacking the door locks (eg, bribing/blackmailing someone on the inside).
Re:RFID cracked? Shocking! (Score:4, Interesting)
You only have to profile the architecture one time, which this team has already done. Any MIFARE system can now be cracked in 7 hours. Once the POS system's card is analyzed, they'd be able to crack the keys on your particular canteen in 7 hours. And even then, multiple keys is a big problem. If your canteen is operated by some big chain, and that big chain also runs my canteen, what are the chances they have the same keys? I'd bet lots of money on it.
The core of the security problem is that because an implementation is hard and expensive, it's done infrequently. That means companies want to scale them up to drive down the unit costs of implementing them. Vendor X won't invent a new POS card for each client. Your food service company won't even deploy a separate key for each store.
Crack once, steal anywhere. It's an implementation issue. And that's why selling cards vulnerable to side channel attacks is a recipe for failure.
Dutch public transport was hit and solved this (Score:2)
Re: (Score:2)
That's why I said, unless the team release everything, which hopefully they won't do. Cheap RFID cards vulnerable to power analysis? Is this really research worthy of public funding at all?
Re: (Score:2)
>
That's why I said, unless the team release everything, which hopefully they won't do.
It's another form of security through obscurity to believe that this team is the only one who is capable of doing DPA, or timing attacks, or RF emission sniffing. These were just the first to announce their break publicly.
I don't doubt the bad guys can do this already. I chatted with a guy whose firm was offering DPA cracking services last year. Mostly they wanted to do it so you'd know your hardware was weak and theirs was better and so you'd upgrade to their product; but still, these researchers don't
Re: (Score:2)
Vulnerabilities known since years, but covered up (Score:3, Informative)
Re: (Score:2)
Companies who use the legal system to keep news about security holes in their product a secret really make me MAD.
Re: (Score:2)
From what I can read, this has nothing to do with the MIFARE DESFire, and everything to do with MIFARE Classic which is completely different.
NASA and cards (Score:4, Informative)
NASA has recently had two card initiatives. The first was to replace the ancient keycard swipe card system with newer proximity cards, while leaving the badge system alone. The second replaced both the badges and the (circa mid-2000s) prox cards with still newer HSPD-12 compliant smartcards. This sounds like the prox cards. In other words, it is most likely that NASA has already replaced these cards.
Posting anon for obvious reasons. Speaking for myself rather than my employers.
Re: (Score:1)
the FIPS201 PIV (HSPD12) cards you refer to can be used for contactless authentication in a number of ways:
1. CHUID (easily duplicated, no authentication required to read from the card)
2. CAK (PKI validation of the card itself)
3. PKI (PKI validation of the cert issued to the person, stored on the card)
4. BIO (on card or off card matching of fingerprints)
3+4 = awesome stuff. if they can do it. i'd be surprised if they are using this for their doors. it's a ton of equipment, labor, time for end users, money,
Take-Two Scenario (Score:5, Informative)
Low Power Requirements, Low Cost or Proper Security, pick two. That's the problem the industry faces and the reason we see flawed designs.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I think the problem is that the card has to do computation and without a battery in the card, doing enough computation for secure crypto is not really possible.
No, strong cryptography is not only possible but easy with or without a battery. AES is very efficient, and very strong.
The reason a battery is important is because it allows the chip to continuously monitor what's being done to it and to recognize patterns of usage that look like attacks and shut down (or even just slow down). When all power is provided by the attacker, the attacker has vastly increased ability to manipulate the operations of the chip, but cutting power at strategic moments, inducing f
Re: (Score:2)
If you need to use an oven magnetron to energize the cards, not many people are going to be receptive to using them for access to doors they use every day....
Re: (Score:1)
Re: (Score:3)
Re: (Score:2)
Just new cards, not new readers apparently (Score:2)
To ensure that customers and partners receive products with the best performance and security NXP constantly improves its MIFARE portfolio with the concept of evolving platforms. While the underlying product hardware is upgraded in terms of its performance and security, we keep next generation products functionally backwards compatible to ensure that the infrastructure can adopt the new product evolution without major upgrades. In this way, our customers can take advantage of the new technology with minimum or no additional investment into their infrastructure. The benefits of this approach become apparent now, allowing our customers to migrate quickly and easily to MIFARE DESFire EV1, introduced in 2008 as the successor of MF3ICD40. The MIFARE DESFire EV1 is Common Criteria EAL 4+ certified and the research group at the Bochum University failed when attacking the card with non-invasive side-channel attacks.
As planned, NXP will discontinue the MIFARE DESFire MF3ICD40 as of December 31, 2011, and we recommend that our customers and partners migrate to MIFARE DESFire EV1 for existing and new systems.
This would at least seem to indicate that the customers can just purchase new cards.
We need more sales (Score:2)
"Security widget X is working fine so no one is buying new ones".. "How about we say they are a security risk so everyone will upgrade"
Side chain attack (Score:5, Informative)
The summary poorly describes the real issue.
The encryption algorithm used in these cards is Triple DES. The 64 bit block cipher has not been cracked and still maintains approximately 80 equivalent bits of effective security with its 112 bit key.
However, the crack involves using a side chain attack and card profiling and allows the key to be retrieved within 3 to 7 hours. The attack is complicated, but has always generally suspected to be possible. Until now, no one had demonstrated and shown a detailed method to actually crack this type of card.
This is less of an immediate issue for security installations, as the systems are probably already backed with secondary verifiers (eg. biometrics, codes, etc) for high security requirements, and the access areas are probably counted in the low double digits. Not to mention that most 'security systems' seem to be composed mostly of security theatre anyway.
But, some systems using those cards are MUCH harder to retrofit (eg. electronic money/credit equivalents like metro systems, etc) where the infrastructure is highly diverse. And replacement would involve a massive process of card/reader swap outs, most likely with both systems operating in parallel for a time. Those systems also provide the most financial gain and lowest risk for criminal organisations if they can crack the security of the cards.
Re: (Score:2)
Re: (Score:2)
Yeah, but they state in their press release that the cards will be backwards-compatible.
This is true, but if the keys have been compromised then they'll need to re-key the new cards. The old cards will still need to be usable for some period of time until all have been recalled/reimbursed. Keeping in mind that these implementations are symmetric key systems with common master keys, so the new cards will need new keys and the readers will need to handle both cards.
For systems designed while considering this failure mode, the problem should be correctable by using pre-stored secondary keys in th
This has somem history (Score:2)
Here's a link [pcworld.com] to the earlier hack by German reseachers in PCworld , with links to video demonstration and paper of University of Virginia.
A similar hack on the same chip also in 2008 was published by Dutch researchers from Radboud Univeristy in Nijmgen, in the Netherlands. This case attracted additional attention because the company making the Mifare chip, NXP (formerly Phillips semiconductors), tried to block publication of the hack and was denied this in a Dutch court of law (security guru Schneier on th [schneier.com]
Re: (Score:1)
Ah, I stand corrected. I guess I should have read further than "MiFare." Thanks for guarding the facts.
However, it shows that after the initial hacking, improvements were made (well, they probably would have brought out a newer version anyway, but I'm sure the hack was taken along in the development). Later, that improved chip was hacked (different hack, for not the same chip, as you point out). So, we can expect this new chip being used by TLS to be hacked again. I assume it's better, but so are the hack
Or (Score:1)
Release a security flaw to a 3rd party group then get all your customers to upgrade.
Clipper Card in Bay Area, Califonira (Score:2)
Clipper card (the one accepted by most Bay Area Public Transport services) uses MiFare too. I remember looking up how strong it is, just a few months ago.
But note that... (Score:2)
This response may sound familiar.
But note that the MIFARE DESFire EV1 is older than the MIFARE Plus, and even with this crack it is nowhere nearly as bad as the MIFARE Classic designed in *1994*.
Re: (Score:2)
And that:
In June 2010 we started to inform our direct customers and eco-system partners that we would discontinue the MF3ICD40 at the end of 2011.
A link to the paper (Score:2)
http://www.emsec.rub.de/media/crypto/veroeffentlichungen/2011/10/10/desfire_2011_extended_1.pdf [emsec.rub.de]