Hacking access control cards
A hacker from the U.S. has reportedly broken the security on NXP Semiconductor’s Mifare-classic proximity card chip.
According to an article in The Daily Progress, a U.Va. grad student named Karsten Nohl figured out how to break the security code on a smart card chip made by NXP Semiconductors. Despite claims in The Daily Progress’ article, NXP Semiconductors responded in an article for SC Magazine that the chips were not used for credit cards, car keys and other tools. In fact, the smart card chips (which are Mifare Classic chips, a technology trademarked by NXP - which was a former division of Philips Semiconductors) are mainly used in facility door access control and inexpensive toll booth and transportation user applications.
Nohl, who reported the hack in late december at the Chaos Communications Congress hacker convention (as reported on the HackADay website), apparently succeed in breaking one of the most simple Mifare designs. In fact, NXP offers more secure technologies than Mifare Classic, including the DESfire chip which uses triple-DES to create a more secure Mifare option. Still, I suppose the hack could shake some confidence in physical access control card systems. I’m not sure yet what the overall effect may be; we’ve had reports of spoofed and hacked prox cards in the past, but in reality, this Mifare chip isn’t a true “smart card”. That, I think, would be more significant for our industry… One of the previous “hacks” on cards was a “sniffer” that could supposedly read simple RF prox cards without the cardholder knowing about it. In fact, those “sniffs” have spurred new products designed to enclose prox cards to keep them from being read unintentionally.
If you want to see the video of Nohl’s presentation on hacking Mifare, you can watch it on Google’s video site.
-Geoff
As I noted in my blog post above, some media reports mis-represented this hack as affecting payment cards (credit cards, debit cards that use smart chips). The Smart Card Alliance also picked up on that error (maybe they read it here on The Security Check) and the association released the following statement defending smart cards. As the SCA notes, it’s all about appropriate and layered security. Here’s the SCA’s retort to the error that was reported in some news articles:
“The stories inaccurately linked security questions raised by a University of Virginia graduate student about an RF-enabled chip used primarily in transit applications with the contactless smart card technology used in financial payment cards. The RF-enabled chip used in the U.Va. research is not the same product used in contactless credit/debit cards and electronic passports. … The research, presented at a hacker’s conference in Germany, involved one dimension of security in one specific product. Like many types of computer chips, a broad range of RF-enabled and contactless smart card chips are available, and individual system operators choose the right overall balance of features, including security, when they design a fare collection system. The transportation industry and its technology partners have decades of experience and know-how to design fare payment systems that balance cost effectiveness and security. Industry best practices for any type of smart card system involve many layers of security, avoiding dependency on any single element. There are typically multiple countermeasures starting at the chip and card and going beyond it to the reader and system level.”
The SCA’s point: Don’t expect the same level of security on a smart card chip used for a $1-2 public transportation pass as you’d get on the debit card that links to your life’s savings. Well said, SCA, and it’s good that this has been addressed to the national media.