NXP RFID Cracked

kamlapati sends us to EETimes for news that the Chaos Computer Club in Germany and researchers from the University of Virginia have cracked the encryption scheme used in a common RFID chip, NXP's Mifare Classic. According to the article the device is used in many contactless smartcard applications including fare collection, loyalty cards, and access control cards. NXP downplays the significance of the hack, saying that that model of RFID card uses old technology and they do a much better job these days.

old news?

[Anonymous Coward]

Is this the same hack that theregister.co.uk reported over two weeks ago?

(So no, I didn't RTFA.) The Tube in London and the Boston MBTA subway use Mifare.

Old news but worth a look

[kaptink]

Yep, its a bit out of date but still worth a look if you havent seen it. Free transport FTW! This link has an hour long lecture/display of the processes used: http://www.hackaday.com/2008/01/01/24c3-mifare-crypto1-rfid-completely-broken/ [hackaday.com]

Re:Security implications?

[maxume]

Umm, he posted anonymously. Hence no karma. Not even the religious kind.

Re:Security implications?

[prxp]

Is this simply lowering the security down to the same level as a barcode but with radio transmission?
Exactly that, and that's a serious problem. The chips might have been designed for working with small ranges, but you can easily build a reader that overcomes that. Better yet, you can build a reader that works at greater distances and reads tags in bulk. It's kinda like everybody having their bar codes in huge letters stamped at their foreheads, t-shirts, wallets, etc. It's actually worse than that.

Re:downplaying the white elephant

[moderatorrater]

Antenna size (for receiving the card response) and power levels (for energizing the card) are all that matter here, really.

Let's not forget physics. The amount of power that it takes to energize a card goes up by a power of 3 as you double the range. The same can be said for the signal put out by the RFID card. Building a better antenna for reading the card will decrease the required signal strength linearly. I don't see any reason you couldn't use a directional dish to send and receive the signals for the RFID card, but it's a little harder to hide a satellite dish, and it'll only send in one direction, meaning you can't really do a passive long-distance reader with that method.

So, increasing the distance isn't as trivial as you seem to imply. getting it to a few feet is probably doable without attracting a lot of attention, but getting it to more than ten feet doesn't sound plausible at all.

Re:Security implications?

[Antique Geekmeister]

As I understand the technology, building a reader with massively longer range is not a simple task. You start running into signal-noise ratios, and signals from multiple local devices, pretty quickly. There have been public demonstrations of RFID technologies that can detect multiple RFID tags inside a single crate successfully, but that doesn't mean they can be detected reliably from the next room.

It seems to me that the big deal is that, once read or once the algorithms are decoded, they can be easily programmed into another tag. This problem has already been well demonstrated with the tags on US passports. With the tags popular for some kinds of public transit systems, they're begging to be forged.

Re:RFID Limited Range? Ha, Ha, Ha!

[Antique Geekmeister]

You have to power the thing from the RFID reader to get a synchronized and readable signal. If you're going to design an RFID reader powerful enough to charge up an RFID tag from hundreds of kilometers, can I get you to run it past the designers of the hadron supercollider to make sure you're not generating micro black holes that will devour the Earth?

More seriously, if you trigger one RFID tag at that range, you're going to trigger every other tag in the beam of your reader. Sorting out that noise isn't going to work well at dozens of kilometers range, even if the power involved doesn't cook any birds flying overhead.

They broke Philips/NXP CRYPTO1

[bigberk]

To clarify a few things. First of all this has been known for a few months. The earliest mention I saw was December 29, 2007: MiFare's CRYPTO1 algorithm mostly reverse-engineered [cryptanalysis.eu]. More information, including a slide show, is presented in this January 1, 2008 post: Mifare crypto1 RFID completely broken [hackaday.com]

Quick background: NXP (Philips) creates a line of smart cards called "Mifare" based on proprietary protocols, including the CRYPTO1 cipher (undocumented, proprietary). There are a lot of Mifare cards deployed, and there is a huge element of security through obscurity especially if you rely on proprietary protocols, such as CRYPTO1 algorithm.

This research, as linked above (and posted in this slashdot article... old news) shows that CRYPTO1 stream cipher is horribly broken, based on a terribly insufficient random number generator. Besides busting this example of security through obscurity, the target technology is actually deployed in a very wide range of uses. Meaning, this attack has many real world consequences.

Mifare card cracked !!

[MSDev]

The announcement of a new stronger card format for Mifare cards didnt come as much of a supprise after they announced that mifare was 'crackable'. However, the demo and explination of how they cracked it is somewhat dubious. What i mean by this is that the cards have several data size formats but each card has a number of data sectors with read write keys. These keys can be the same or they can differ i.e one RW pair for each memory block. Theyve cracked one sector with one RW key, but not all. Thus cloning cards will still be near impossible - yes i know this is relative in computing terms.

Deep doodoo

[labnet]

I've seen a lot of very uninformed comments on 'high gain antennas'
MiFare is a 13.56MHz system (ISM band), that uses H-Field coupling (ie near field magnetic coupling) in a loose transformer coupled arrangement.
The near field attenuates at 1/r^3, and as a rough guide you can read this type of tag to about 1.5 x loop diameter.

At 13.56Mhz, you can only make the antenna so large before the inductance of the antenna makes it impossible to resonate.
We in fact have a complex stub tuned antenna of about 1m diam, and that was difficult.

Another problem, is you have to start pumping out so much power, it becomes extremely difficult to see modulation on the carrier above the TX noise.

Now that said, it sounds like NXP (who have one of the worst web sites on the net), are in deep doodoo.
The reason is that MIFARE has huge rollouts in transportation systems, especially in asia, and these cards contain real monetary value.
System integrators, are now going to have to put extra work into either live back to central database checking (which will be hard on mobile platforms like busses), or upgrade systems to the triple des encrypted (and more expensive) cards.
 

Re:Frustrating, but not really...

[swillden]

Current "smart" credit cards, for example, use active (i.e. battery-powered) tags in the 13.56 MHz (HF) band.

Cite? I've been working on smart card applications for 10 years, including lots of credit and debit cards, in multiple countries and I have never seen any that were active. All are passive, whether contact or contactless. There is a project in the works in the US that is considering using active tags, but the technology limitations are pretty severe. The battery has to be very small, thin and flexible, yet have enough life to make it unnecessary to recharge frequently. The reason they want a battery is not because they can't implement good security without it, but because they want to embed a fingerprint scanner, keypad and display and make the card usable for simple purposes even when not in the field of a reader.

It is more difficult to activate passive (i.e. powered wirelessly by the reader's interrogation signal) tags from great distances, but afaik engineers haven't worked out how to perform good encryption with this tiny amount of power, so these tags are not appropriate for security-sensitive applications.

ALL major contactless smart cards on the market are passive, and many of them support RSA, AES, El Gamal, ECC, etc., on-card and have for years. Using on-chip hardware crypto accelerators they can even perform very intensive operations like on-card private key encryption/signing (much more expensive than public key operations) and on-card public key pair generation -- though the latter takes a few seconds.

I know the guys who designed the IBM JCOP [ibm.com] card operating system for the Philips SmartX chips (among others), which was purchased by NXP a couple years ago and is their current high-security offering. It definitely offers strong cryptography in both contact and contactless modes and includes various technologies to minimize the effectiveness of side-channel attacks and to make disassembly attacks difficult. It's good security -- and it is definitely passive.

You did get the frequency right, ISO 14443-compliant [wg8.de] cards do communicate in 13.56 MHz.

While I'm posting I should point out that this crack of the MIFARE classic proprietary encryption didn't surprise anyone in the industry. We've known for years that it sucked, and I have always steered my clients away from it. The only surprising thing is that it took this long.

Mifare isn't a "smart card"

[mpapet]

A couple of very important clarifications to make your claims more accurate.

1. In the smart card industry, Mifare isn't categorized as a smart card. A smart card typically has an operating system running on it so one can create their own on-card applications. The cards provide RSA crypto functions (low end have AES only) with a strong emphasis on secure storage measured in a few Kbytes. This is different than Mifare.

2. Mifare can be categorized as a single purpose card. It does a few things quickly and not secure as compared to a smart card. The primary application for MiFare is quick and cheap authentication and possibly value transfer measured in a dollar or two.

In theory the crack could be used to steal subway rides. How do you go about figuring out which systems are still on this card version??? And how much are you stealing? The bigger crack that's already been done is stealing gas with a dynamic PayPass. With both cracks no one is getting rich and the systems are not as compromised as the summary would have you believe.