Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security IT

German Researchers Crack Mifare RFID Encryption 44

jfruhlinger writes "The long-running security battle has seesawed against RFID cards, as German researchers revealed a way to clone one type of card currently used for a variety of purposes, from transit fares to opening doors in NASA facilities." According to the article, "NXP Semiconductors, which owns Mifare, put out an alert to customers warning that the security had been cracked on its MIFARE DESFire (MF3ICD40) smartcard but saying that model would be discontinued by the end of the year and encouraging customers to upgrade to the EV1 version of the card." This response may sound familiar.
This discussion has been archived. No new comments can be posted.

German Researchers Crack Mifare RFID Encryption

Comments Filter:
  • by Baloroth ( 2370816 ) on Monday October 10, 2011 @03:26PM (#37668710)

    But seriously, RFID isn't secure against dedicated attackers. The fact that this vulnerability was known way back when the cards were first made leads me to suspect that they didn't create protection against it then so that they could sell their newer cards now, and save a few bucks at the time. Conveniently, the newer cards are even backwards compatible. Cynical? Maybe, but after recent compromises in the security industry (Sony, DigiNotar), nothing would surprise me. Least of all a company selling a defective-by-design security card to make some extra money.

    • by Necroman ( 61604 ) on Monday October 10, 2011 @03:46PM (#37669140)

      Or they had a working solution and wanted to get something out the door to start making money. If creating a new solution only took a month, that's money in the eyes of business leaders that they would not be making. So they make the decision to sell now, then fix the problem later. Plus, as you said, it leads to upgrades.

      With something like the security of RFID cards, I would think that shipping with a possible security hole would be a pretty big deal. But its hard to say why the would make such a decision (or how aware of the possibility of it being cracked).

      • by IamTheRealMike ( 537420 ) on Monday October 10, 2011 @04:25PM (#37669888)
        Or, there's an even simpler explanation: the attack in question is based on side-channel attacks that are not easy to exploit. From TFA:

        It takes about seven hours to crack the security on one card and get its 112-bit encryption key, the researchers said. It only works if you've already spent months profiling the card's architecture, behavior and responses.

        I think selling cards that aren't resistant to side channel attacks like this is a perfectly reasonable decision. Lots of hardware is vulnerable to this kind of ultra-intensive probing (eg, the Xbox).

        Like anything in engineering, these cards boil down to a cost/benefit analysis. If you use these cards in your canteen, how likely are you to go up against a team of people who spend months doing blackbox analysis of the cards? If that isn't likely, it makes sense to save money.

        I am not even sure this counts as a "crack". Unless the German team release absolutely everything, the basic analysis would have to be repeated by whoever wants to recreate the attack. If you have that much money and expertise, there are probably easier ways into a secure facility than hacking the door locks (eg, bribing/blackmailing someone on the inside).

        • by plover ( 150551 ) * on Monday October 10, 2011 @04:53PM (#37670358) Homepage Journal

          You only have to profile the architecture one time, which this team has already done. Any MIFARE system can now be cracked in 7 hours. Once the POS system's card is analyzed, they'd be able to crack the keys on your particular canteen in 7 hours. And even then, multiple keys is a big problem. If your canteen is operated by some big chain, and that big chain also runs my canteen, what are the chances they have the same keys? I'd bet lots of money on it.

          The core of the security problem is that because an implementation is hard and expensive, it's done infrequently. That means companies want to scale them up to drive down the unit costs of implementing them. Vendor X won't invent a new POS card for each client. Your food service company won't even deploy a separate key for each store.

          Crack once, steal anywhere. It's an implementation issue. And that's why selling cards vulnerable to side channel attacks is a recipe for failure.

          • Dutch public transport implemented a known weak and already hacked Mifare card. They announced just a few weeks ago they will be upgrading to a card system that has a unique key for every card issued. Even if you can hack a single card in 7 hours, fraud will be detected as soon as clones show up or the credit on the card is registered to be inconsistent with what's in the central database. The card will be invalidated and due to the Orwellian Dutch society, there will be camera pictures of the person trying
          • You only have to profile the architecture one time, which this team has already done.

            That's why I said, unless the team release everything, which hopefully they won't do. Cheap RFID cards vulnerable to power analysis? Is this really research worthy of public funding at all?

            • by plover ( 150551 ) *


              That's why I said, unless the team release everything, which hopefully they won't do.

              It's another form of security through obscurity to believe that this team is the only one who is capable of doing DPA, or timing attacks, or RF emission sniffing. These were just the first to announce their break publicly.

              I don't doubt the bad guys can do this already. I chatted with a guy whose firm was offering DPA cracking services last year. Mostly they wanted to do it so you'd know your hardware was weak and theirs was better and so you'd upgrade to their product; but still, these researchers don't

    • by Yvanhoe ( 564877 )
      More precisely, RFID isn't secure against cloning. It has roughly the security of a good mechanical key, except it can't be lockpicked, it needs a cloned key.
  • by gentryx ( 759438 ) * on Monday October 10, 2011 @03:32PM (#37668840) Homepage Journal
    Johannes Schlumberger and others did some hacking on Mifare cards [uni-erlangen.de] here in Germany. The University of Erlangen-Nuremberg uses them for wireless payments in their canteen [uni-erlangen.de] and also for access control to sensitive areas. After notifying the manufacturer they didn't try to fix the problems, but threatened him with legal action -- even though it was a research project. As it says on Schlumberger's homepage [uni-erlangen.de]: "Unfortunately I am not allowed to make my results public"
    • by jonwil ( 467024 )

      Companies who use the legal system to keep news about security holes in their product a secret really make me MAD.

    • by yuhong ( 1378501 )

      From what I can read, this has nothing to do with the MIFARE DESFire, and everything to do with MIFARE Classic which is completely different.

  • NASA and cards (Score:4, Informative)

    by Anonymous Coward on Monday October 10, 2011 @03:35PM (#37668894)

    NASA has recently had two card initiatives. The first was to replace the ancient keycard swipe card system with newer proximity cards, while leaving the badge system alone. The second replaced both the badges and the (circa mid-2000s) prox cards with still newer HSPD-12 compliant smartcards. This sounds like the prox cards. In other words, it is most likely that NASA has already replaced these cards.

    Posting anon for obvious reasons. Speaking for myself rather than my employers.

    • by jclarke ( 16004 )

      the FIPS201 PIV (HSPD12) cards you refer to can be used for contactless authentication in a number of ways:
      1. CHUID (easily duplicated, no authentication required to read from the card)
      2. CAK (PKI validation of the card itself)
      3. PKI (PKI validation of the cert issued to the person, stored on the card)
      4. BIO (on card or off card matching of fingerprints)

      3+4 = awesome stuff. if they can do it. i'd be surprised if they are using this for their doors. it's a ton of equipment, labor, time for end users, money,

  • Take-Two Scenario (Score:5, Informative)

    by Anonymous Coward on Monday October 10, 2011 @03:35PM (#37668906)
    I wrote a paper on the state of RFID security a few years ago. I could write something insightful but I'll just summarise.
    Low Power Requirements, Low Cost or Proper Security, pick two. That's the problem the industry faces and the reason we see flawed designs.
    • How are power requirements a problem?
  • [...] to opening doors in NASA facilities.

    See that? FU HAL. FU and your stupid daisies.



  • From the manufacturer's response [mifare.net]:

    To ensure that customers and partners receive products with the best performance and security NXP constantly improves its MIFARE portfolio with the concept of evolving platforms. While the underlying product hardware is upgraded in terms of its performance and security, we keep next generation products functionally backwards compatible to ensure that the infrastructure can adopt the new product evolution without major upgrades. In this way, our customers can take advantage of the new technology with minimum or no additional investment into their infrastructure. The benefits of this approach become apparent now, allowing our customers to migrate quickly and easily to MIFARE DESFire EV1, introduced in 2008 as the successor of MF3ICD40. The MIFARE DESFire EV1 is Common Criteria EAL 4+ certified and the research group at the Bochum University failed when attacking the card with non-invasive side-channel attacks.

    As planned, NXP will discontinue the MIFARE DESFire MF3ICD40 as of December 31, 2011, and we recommend that our customers and partners migrate to MIFARE DESFire EV1 for existing and new systems.

    This would at least seem to indicate that the customers can just purchase new cards.

  • "Security widget X is working fine so no one is buying new ones".. "How about we say they are a security risk so everyone will upgrade"

  • Side chain attack (Score:5, Informative)

    by pipedwho ( 1174327 ) on Monday October 10, 2011 @04:35PM (#37670066)

    The summary poorly describes the real issue.

    The encryption algorithm used in these cards is Triple DES. The 64 bit block cipher has not been cracked and still maintains approximately 80 equivalent bits of effective security with its 112 bit key.

    However, the crack involves using a side chain attack and card profiling and allows the key to be retrieved within 3 to 7 hours. The attack is complicated, but has always generally suspected to be possible. Until now, no one had demonstrated and shown a detailed method to actually crack this type of card.

    This is less of an immediate issue for security installations, as the systems are probably already backed with secondary verifiers (eg. biometrics, codes, etc) for high security requirements, and the access areas are probably counted in the low double digits. Not to mention that most 'security systems' seem to be composed mostly of security theatre anyway.

    But, some systems using those cards are MUCH harder to retrofit (eg. electronic money/credit equivalents like metro systems, etc) where the infrastructure is highly diverse. And replacement would involve a massive process of card/reader swap outs, most likely with both systems operating in parallel for a time. Those systems also provide the most financial gain and lowest risk for criminal organisations if they can crack the security of the cards.

    • Yeah, but they state in their press release that the cards will be backwards-compatible.
      • Yeah, but they state in their press release that the cards will be backwards-compatible.

        This is true, but if the keys have been compromised then they'll need to re-key the new cards. The old cards will still need to be usable for some period of time until all have been recalled/reimbursed. Keeping in mind that these implementations are symmetric key systems with common master keys, so the new cards will need new keys and the readers will need to handle both cards.

        For systems designed while considering this failure mode, the problem should be correctable by using pre-stored secondary keys in th

  • Here's a link [pcworld.com] to the earlier hack by German reseachers in PCworld , with links to video demonstration and paper of University of Virginia.

    A similar hack on the same chip also in 2008 was published by Dutch researchers from Radboud Univeristy in Nijmgen, in the Netherlands. This case attracted additional attention because the company making the Mifare chip, NXP (formerly Phillips semiconductors), tried to block publication of the hack and was denied this in a Dutch court of law (security guru Schneier on th [schneier.com]

  • by koan ( 80826 )

    Release a security flaw to a 3rd party group then get all your customers to upgrade.

  • This response may sound familiar.

    But note that the MIFARE DESFire EV1 is older than the MIFARE Plus, and even with this crack it is nowhere nearly as bad as the MIFARE Classic designed in *1994*.

    • by yuhong ( 1378501 )

      And that:

      In June 2010 we started to inform our direct customers and eco-system partners that we would discontinue the MF3ICD40 at the end of 2011.

God helps them that themselves. -- Benjamin Franklin, "Poor Richard's Almanac"