Government Technology

Popular Smart Card Can Be Hacked, Researchers Show



May 20, 2009 By

University researchers have discovered vulnerabilities in NXP's MIFARE Classic card, which belongs to a family of smart cards with more than 1 billion units distributed worldwide. These smart cards are used to access buildings and public transportation systems. One example is the Oyster card, which Londoners use for citywide travel.

Researchers from Radboud University in the Netherlands received the Best Practical Paper Award at the IEEE Symposium on Security and Privacy on Monday for their work demonstrating how to pickpocket the card wirelessly.

The team also filmed a video demonstration in 2008 of how to compromise the card, which is posted on YouTube and university Web pages. A cyber-criminal can use an off-the-shelf reader to make requests of the card, and while the card determines if the reader is legitimate, it reveals enough information for the hacker to decrypt information that's supposed to be secure. Then the information can be cloned for duplicate cards.

"This is exactly the type of research that I'm glad to see the security and privacy research community doing," said Tadayoshi Kohno, an assistant professor of computer science at the University of Washington. He said he isn't surprised that the Netherlands researchers' paper won an award. "There's a lot of value in doing research and uncovering vulnerabilities in important and deployed systems," he said.

The MIFARE Classic card has been scrutinized more than once. In 2007, Karsten Nohl, then a graduate student at the University of Virginia, reverse-engineered the card with colleagues to uncover vulnerabilities.

According to Nohl, security wasn't the primary concern for the designers of that smart card technology.

"The security part was designed by the people that also designed the radio and every other part of the chip, so there was no security expert involved," said Nohl, who now works as a security researcher in Berlin. "What we found, you could call it a cryptographic weakness, so the cryptography in that chip wasn't done because no cryptographer was involved in making it."

The problem with the MIFARE Classic, in his estimation, was that NXP used its own proprietary cryptography information that didn't fall in line with mainstream cryptography standards from leaders like the National Security Agency, which are tougher to crack.

Newer Smart Card Technology Available

However, some don't think NXP has much to worry about.

"The smart card industry is way ahead of the curve, and they have a new product available right now that is not only secure, but it fully defeats the attack that was done by these researchers," said Steve Howard, vice president of operations at CertiPath, a company focused on establishing digital certificate credentials.

The MIFARE family of cards was first introduced in 1995 and successive versions and iterations have been marketed over the years. Howard, who was also a contributing author to the Federal Information Processing Standards (FIPS) 201 that the federal government established for personal identity verification, said that NXP has a newer version of its MIFARE ready to go. It's up to using agencies to decide how fast they want to migrate away from the older card to a newer one.

"MIFARE classic is like running on Windows 95, and we already have Windows Vista available. When are you going to upgrade? What's your migration strategy to upgrade to the new system?" he said.

According to the MIT Technology Review, NXP sued Radboud University in 2008 in an attempt to stop researchers from publishing their findings about MIFARE vulnerabilities. The company failed in that endeavor and is now working with researchers to make the MIFARE Plus, the Classic's successor, more secure.

Calls and e-mails to NXP on Tuesday were not returned.

 


| More

Comments

Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Fresh Ideas In Online Security for Public Safety Organizations
Lesley Carhart, Senior Information Security Specialist at Motorola Solutions, knows that online and computer security are more challenging than ever. Personal smartphones, removable devices like USB storage drives, and social media have a significant impact on security. In “Fresh Ideas in Online Security for Public Safely Organizations,” Lesley provides recommendations to improve your online security against threats from social networks, removable devices, weak passwords and digital photos.
Meeting Constituents Where They Are With Dynamic, Real-Time Mobile Engagement
Leveraging the proven and open Kofax Mobile Capture Platform, organizations can rapidly integrate powerful mobile engagement solutions across the spectrum of mobile image capture, mobile data capture and complete mobile process integration. Kofax differentiates itself by extending capture to mobility, supporting multiple points of constituent engagement. Kofax solutions dynamically orchestrate the user’s mobile experience from a single platform—reducing time to market, improving process perf
Public Safety 2019
Motorola conducted an industry survey on the latest trends in public safety communications. The results provide an outlook of what technology is in store for your agency in the next five years. Download the results to gain this valuable insight.
View All

Featured Papers