NXP RFID Cracked

kamlapati sends us to EETimes for news that the Chaos Computer Club in Germany and researchers from the University of Virginia have cracked the encryption scheme used in a common RFID chip, NXP's Mifare Classic. According to the article the device is used in many contactless smartcard applications including fare collection, loyalty cards, and access control cards. NXP downplays the significance of the hack, saying that that model of RFID card uses old technology and they do a much better job these days.

Security implications?

What sort of security implications would this hack cause?
Is this simply lowering the security down to the same level as a barcode but with radio transmission?

Re:Security implications?

[maxume]

Umm, he posted anonymously. Hence no karma. Not even the religious kind.

Re:Security implications?

[Antique+Geekmeister]

As I understand the technology, building a reader with massively longer range is not a simple task. You start running into signal-noise ratios, and signals from multiple local devices, pretty quickly. There have been public demonstrations of RFID technologies that can detect multiple RFID tags inside a single crate successfully, but that doesn't mean they can be detected reliably from the next room.

It seems to me that the big deal is that, once read or once the algorithms are decoded, they can be easily programmed into another tag. This problem has already been well demonstrated with the tags on US passports. With the tags popular for some kinds of public transit systems, they're begging to be forged.

Re:Security implications?

[bigberk]

Implications: The Philips/NXP proprietary CRYPTO1 stream cipher is broken. This means that any card which relies on this algorithm to encrypt data being transmitted, can have that encrypted data compromised. It appears that the keys can also be compromised, so the whole card can be "cloned". This compromises the essence of the smart card, which is not supposed to be reproducible because private keys are supposed to remain secret. If the card in question was an access card to a corporation's secure facilities (and Mifare is very much used for such things) then these access cards can now easily be copied, cloned.

I don't think that CRYPTO1 use is limited to contactless (RFID) cards. Presumably, any smart card (whether wireless or not) that uses CRYPTO1 to protect data is now compromised.

It's tough to pinpoint the security implications because it depends on what cards out there in the world (and there are a TON of Mifare cards in use!) ... and where CRYPTO1 is being used to protect sensitive data.

The fun, for the years ahead, will be in discovering where these implementations exist in the real world. In the software world we know that people are slow enough updating compromised software. Well this is HARDWARE we're talking about, with millions (or more?) deployed vulnerable smart cards, in a variety of potentially vulnerable settings.

Frustrating, but not really...

[PC+and+Sony+Fanboy]

Since RFID needs close proximity to be read, I'm TOO concerned.

It'd be pretty noticeable if someone had a high powered RFID antenna/reader - if they were trying to move it.

But, since it would be easy to install a modified high power RFID reader in a convenience store stand, near a window or in a mailbox on a street corner, this could become a problem.

I guess it means that I'll be wearing tinfoil pants as well as a hat, to keep THEM from reading my mind, and my credit card. And password. And the chip in my dog.

Re:Frustrating, but not really...

[wronskyMan]

I guess it means that I'll be wearing tinfoil pants as well as a hat, to keep THEM from reading my mind, and my credit card. And password. And the chip in my dog.

Must be a pretty small dog or pretty large pants...

Re:Frustrating, but not really...

[click2005]

Don't worry, NXP sells a new improved RFID chip with better encryption. I'm sure they'll make lots more money as a result of this as all these places using the older chips rush to upgrade.

I guess making the encryption barely good enough is a nice way to ensure you get future orders. Their customers can upgrade for a moderate fee or spend a hell of a lot more to go elsewhere.

Yeah, but...

[hyades1]

I don't doubt for a minute that NXP does a much better job on security these days. But based on past performance, you can bet a lot of the old ones are still floating around, and will be for a long, long time to come.

Re:Transit passes...

[theheadlessrabbit]

I'm sure it will be possible to change/hack a farecard soon enough. there are millions of people who use the cards every day, and many of them are nerds/cheep-asses. its only a matter of time.

A few years ago, my roommate and I built a credit card reader/copier for under $10.
We copied a few metro passes (magnetic strip, no RFID)just to see if it would work, and we learned that it does, but you can't pass the 'same' card through the system 2 times n a row. my friend got the embarasing warning buzzer, and he was the one with the legetimate pass!
they accsed us of doing a passback. we just played dumb.
"no we didn't! i made a copy of his card! its right here! try it! see! there was no passback!" is a very bad defence.

we only used it once, just to see if it would work, then destroyed it.
My advice is: you should be very careful with this kind of stuff. Not only unethical and wrong, it is also illegal.

This is why RFID is bad

[Bman21212]

This is why RFID is bad. It gets hacked, the banks and credit card companies ignore it and claim it is secure. Wait a week or two and repeat.
Sure it MIGHT be slightly more convenient, but I would rather take the 3 seconds to swipe the card and not have to deal with fraud and identity theft which will take up more time.
RFID is a terrible concept, but at the very least they should make cards with an off switch.

Re:Possible to duplicate RFID cards?

[langelgjm]

I would love to copy the RFID element onto a keyfob like I have for the office, so I can just dig out my keychain - easy to find, easy to retrieve from a pocket - instead of a big flat card. Is this a service anyone offers, or is it something I can do on my own with the right equipment (preferably $50 of course)?

It depends on the card technology. Most stuff these days (transit passes, etc.) seem to be using 13.56 MHz equipment, but some low-security access applications still use the old 125 kHz technology. I don't really know anything about 13.56 MHz equipment. As for 125 kHz stuff, it's trivial to read the data from the card, and there are a lot of RFID kits out there that will let you write data to cards. I am specifically looking at this kit for writing to 125 kHz cards.

First thing you'd need to do is to find out what kind of reader it is - get the brand name, go to the website, and find the model that looks like your reader. Check the datasheet to find out what kind of cards it reads, etc. That'll get you started. All that said, it'll probably be a lot simpler (and for one or two cards, cheaper) just to buy them :-)

Behold -- science.

[jesdynf]

That's right. Science. We have reached the point where we might have to send a technician out to do a firmware update on *a crate of soup*.

"Oh, no, sonny. That there pallet's running v1.47a -- the cyberinjuns cracked that dekacycles ago. Hardly know what's in there now. Could be tomato, could be chicken noodle. Send that back on the factory. We'll get you some nice v1.49 soup out here. Won't be half a cycle."

They broke Philips/NXP CRYPTO1

[bigberk]

To clarify a few things. First of all this has been known for a few months. The earliest mention I saw was December 29, 2007: MiFare's CRYPTO1 algorithm mostly reverse-engineered. More information, including a slide show, is presented in this January 1, 2008 post: Mifare crypto1 RFID completely broken

Quick background: NXP (Philips) creates a line of smart cards called "Mifare" based on proprietary protocols, including the CRYPTO1 cipher (undocumented, proprietary). There are a lot of Mifare cards deployed, and there is a huge element of security through obscurity especially if you rely on proprietary protocols, such as CRYPTO1 algorithm.

This research, as linked above (and posted in this slashdot article... old news) shows that CRYPTO1 stream cipher is horribly broken, based on a terribly insufficient random number generator. Besides busting this example of security through obscurity, the target technology is actually deployed in a very wide range of uses. Meaning, this attack has many real world consequences.

Deep doodoo

[labnet]

I've seen a lot of very uninformed comments on 'high gain antennas'
MiFare is a 13.56MHz system (ISM band), that uses H-Field coupling (ie near field magnetic coupling) in a loose transformer coupled arrangement.
The near field attenuates at 1/r^3, and as a rough guide you can read this type of tag to about 1.5 x loop diameter.

At 13.56Mhz, you can only make the antenna so large before the inductance of the antenna makes it impossible to resonate.
We in fact have a complex stub tuned antenna of about 1m diam, and that was difficult.

Another problem, is you have to start pumping out so much power, it becomes extremely difficult to see modulation on the carrier above the TX noise.

Now that said, it sounds like NXP (who have one of the worst web sites on the net), are in deep doodoo.
The reason is that MIFARE has huge rollouts in transportation systems, especially in asia, and these cards contain real monetary value.
System integrators, are now going to have to put extra work into either live back to central database checking (which will be hard on mobile platforms like busses), or upgrade systems to the triple des encrypted (and more expensive) cards.