Government Technology

Popular Smart Card Can Be Hacked, Researchers Show



May 20, 2009 By

University researchers have discovered vulnerabilities in NXP's MIFARE Classic card, which belongs to a family of smart cards with more than 1 billion units distributed worldwide. These smart cards are used to access buildings and public transportation systems. One example is the Oyster card, which Londoners use for citywide travel.

Researchers from Radboud University in the Netherlands received the Best Practical Paper Award at the IEEE Symposium on Security and Privacy on Monday for their work demonstrating how to pickpocket the card wirelessly.

The team also filmed a video demonstration in 2008 of how to compromise the card, which is posted on YouTube and university Web pages. A cyber-criminal can use an off-the-shelf reader to make requests of the card, and while the card determines if the reader is legitimate, it reveals enough information for the hacker to decrypt information that's supposed to be secure. Then the information can be cloned for duplicate cards.

"This is exactly the type of research that I'm glad to see the security and privacy research community doing," said Tadayoshi Kohno, an assistant professor of computer science at the University of Washington. He said he isn't surprised that the Netherlands researchers' paper won an award. "There's a lot of value in doing research and uncovering vulnerabilities in important and deployed systems," he said.

The MIFARE Classic card has been scrutinized more than once. In 2007, Karsten Nohl, then a graduate student at the University of Virginia, reverse-engineered the card with colleagues to uncover vulnerabilities.

According to Nohl, security wasn't the primary concern for the designers of that smart card technology.

"The security part was designed by the people that also designed the radio and every other part of the chip, so there was no security expert involved," said Nohl, who now works as a security researcher in Berlin. "What we found, you could call it a cryptographic weakness, so the cryptography in that chip wasn't done because no cryptographer was involved in making it."

The problem with the MIFARE Classic, in his estimation, was that NXP used its own proprietary cryptography information that didn't fall in line with mainstream cryptography standards from leaders like the National Security Agency, which are tougher to crack.

Newer Smart Card Technology Available

However, some don't think NXP has much to worry about.

"The smart card industry is way ahead of the curve, and they have a new product available right now that is not only secure, but it fully defeats the attack that was done by these researchers," said Steve Howard, vice president of operations at CertiPath, a company focused on establishing digital certificate credentials.

The MIFARE family of cards was first introduced in 1995 and successive versions and iterations have been marketed over the years. Howard, who was also a contributing author to the Federal Information Processing Standards (FIPS) 201 that the federal government established for personal identity verification, said that NXP has a newer version of its MIFARE ready to go. It's up to using agencies to decide how fast they want to migrate away from the older card to a newer one.

"MIFARE classic is like running on Windows 95, and we already have Windows Vista available. When are you going to upgrade? What's your migration strategy to upgrade to the new system?" he said.

According to the MIT Technology Review, NXP sued Radboud University in 2008 in an attempt to stop researchers from publishing their findings about MIFARE vulnerabilities. The company failed in that endeavor and is now working with researchers to make the MIFARE Plus, the Classic's successor, more secure.

Calls and e-mails to NXP on Tuesday were not returned.

 


| More

Comments

Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Cybersecurity in an "All-IP World" Are You Prepared?
In a recent survey conducted by Public CIO, over 125 respondents shared how they protect their environments from cyber threats and the challenges they see in an all-IP world. Read how your cybersecurity strategies and attitudes compare with your peers.
Maintain Your IT Budget with Consistent Compliance Practices
Between the demands of meeting federal IT compliance mandates, increasing cybersecurity threats, and ever-shrinking budgets, it’s not uncommon for routine maintenance tasks to slip among state and local government IT departments. If it’s been months, or even only days, since you have maintained your systems, your agency may not be prepared for a compliance audit—and that could have severe financial consequences. Regardless of your mission, consistent systems keep your data secure, your age
Best Practice Guide for Cloud and As-A-Service Procurements
While technology service options for government continue to evolve, procurement processes and policies have remained firmly rooted in practices that are no longer effective. This guide, built upon the collaborative work of state and local government and industry executives, outlines and explains the changes needed for more flexible and agile procurement processes.
View All

Featured Papers