German Researchers Crack Mifare RFID Encryption

jfruhlinger writes "The long-running security battle has seesawed against RFID cards, as German researchers revealed a way to clone one type of card currently used for a variety of purposes, from transit fares to opening doors in NASA facilities." According to the article, "NXP Semiconductors, which owns Mifare, put out an alert to customers warning that the security had been cracked on its MIFARE DESFire (MF3ICD40) smartcard but saying that model would be discontinued by the end of the year and encouraging customers to upgrade to the EV1 version of the card." This response may sound familiar.

RFID cracked? Shocking!

[Baloroth]

But seriously, RFID isn't secure against dedicated attackers. The fact that this vulnerability was known way back when the cards were first made leads me to suspect that they didn't create protection against it then so that they could sell their newer cards now, and save a few bucks at the time. Conveniently, the newer cards are even backwards compatible. Cynical? Maybe, but after recent compromises in the security industry (Sony, DigiNotar), nothing would surprise me. Least of all a company selling a defective-by-design security card to make some extra money.

Re:RFID cracked? Shocking!

[Necroman]

Or they had a working solution and wanted to get something out the door to start making money. If creating a new solution only took a month, that's money in the eyes of business leaders that they would not be making. So they make the decision to sell now, then fix the problem later. Plus, as you said, it leads to upgrades.

With something like the security of RFID cards, I would think that shipping with a possible security hole would be a pretty big deal. But its hard to say why the would make such a decision (or how aware of the possibility of it being cracked).

Re:RFID cracked? Shocking!

[IamTheRealMike]

Or, there's an even simpler explanation: the attack in question is based on side-channel attacks that are not easy to exploit. From TFA:

It takes about seven hours to crack the security on one card and get its 112-bit encryption key, the researchers said. It only works if you've already spent months profiling the card's architecture, behavior and responses.

I think selling cards that aren't resistant to side channel attacks like this is a perfectly reasonable decision. Lots of hardware is vulnerable to this kind of ultra-intensive probing (eg, the Xbox).

Like anything in engineering, these cards boil down to a cost/benefit analysis. If you use these cards in your canteen, how likely are you to go up against a team of people who spend months doing blackbox analysis of the cards? If that isn't likely, it makes sense to save money.

I am not even sure this counts as a "crack". Unless the German team release absolutely everything, the basic analysis would have to be repeated by whoever wants to recreate the attack. If you have that much money and expertise, there are probably easier ways into a secure facility than hacking the door locks (eg, bribing/blackmailing someone on the inside).

Re:RFID cracked? Shocking!

[plover]

You only have to profile the architecture one time, which this team has already done. Any MIFARE system can now be cracked in 7 hours. Once the POS system's card is analyzed, they'd be able to crack the keys on your particular canteen in 7 hours. And even then, multiple keys is a big problem. If your canteen is operated by some big chain, and that big chain also runs my canteen, what are the chances they have the same keys? I'd bet lots of money on it.

The core of the security problem is that because an implementation is hard and expensive, it's done infrequently. That means companies want to scale them up to drive down the unit costs of implementing them. Vendor X won't invent a new POS card for each client. Your food service company won't even deploy a separate key for each store.

Crack once, steal anywhere. It's an implementation issue. And that's why selling cards vulnerable to side channel attacks is a recipe for failure.

Re:RFID cracked? Shocking!

If you have that much money and expertise, there are probably easier ways into a secure facility than hacking the door locks (eg, bribing/blackmailing someone on the inside).

Yeah, like drugging a guy with security clearance and hitting him with a $5 wrench until he tells you how to get in.

Re:RFID cracked? Shocking!

If you use these cards in your canteen, how likely are you to go up against a team of people who spend months doing blackbox analysis of the cards?

If your city council forces these cards on you as "über-secure, uncrackable" (read: pork-barrel) transit cards, electronic wallet, sign-in device *and* the kitchen sink (as in, for example, Prague, Czech Republic), that kind of makes it slightly more valuable. How likely are you to go against...etc? Bloody well likely, IMNSHO.

Re:RFID cracked? Shocking!

[IamTheRealMike]

You only have to profile the architecture one time, which this team has already done.

That's why I said, unless the team release everything, which hopefully they won't do. Cheap RFID cards vulnerable to power analysis? Is this really research worthy of public funding at all?

Re:RFID cracked? Shocking!

[Yvanhoe]

More precisely, RFID isn't secure against cloning. It has roughly the security of a good mechanical key, except it can't be lockpicked, it needs a cloned key.

Re:RFID cracked? Shocking!

[plover]

>

That's why I said, unless the team release everything, which hopefully they won't do.

It's another form of security through obscurity to believe that this team is the only one who is capable of doing DPA, or timing attacks, or RF emission sniffing. These were just the first to announce their break publicly.

I don't doubt the bad guys can do this already. I chatted with a guy whose firm was offering DPA cracking services last year. Mostly they wanted to do it so you'd know your hardware was weak and theirs was better and so you'd upgrade to their product; but still, these researchers don't have an exclusive on these kinds of attacks.

Vulnerabilities known since years, but covered up

[gentryx]

Johannes Schlumberger and others did some hacking on Mifare cards here in Germany. The University of Erlangen-Nuremberg uses them for wireless payments in their canteen and also for access control to sensitive areas. After notifying the manufacturer they didn't try to fix the problems, but threatened him with legal action -- even though it was a research project. As it says on Schlumberger's homepage: "Unfortunately I am not allowed to make my results public"

NASA and cards

NASA has recently had two card initiatives. The first was to replace the ancient keycard swipe card system with newer proximity cards, while leaving the badge system alone. The second replaced both the badges and the (circa mid-2000s) prox cards with still newer HSPD-12 compliant smartcards. This sounds like the prox cards. In other words, it is most likely that NASA has already replaced these cards.

Posting anon for obvious reasons. Speaking for myself rather than my employers.

Re:NASA and cards

[jclarke]

the FIPS201 PIV (HSPD12) cards you refer to can be used for contactless authentication in a number of ways:
1. CHUID (easily duplicated, no authentication required to read from the card)
2. CAK (PKI validation of the card itself)
3. PKI (PKI validation of the cert issued to the person, stored on the card)
4. BIO (on card or off card matching of fingerprints)

3+4 = awesome stuff. if they can do it. i'd be surprised if they are using this for their doors. it's a ton of equipment, labor, time for end users, money, and burden for getting through a door.
1 = horrific, LESS secure than mifare or desfire or prox. i believe someone at Defcon was sniffing and playing these on a wall-of-sheep sort of display in '08 or '09

now. wanna know how most organizations are doing contactless access control with their HSPD-12 cards? they get them manufactured with a mifare or desfire inlay inside, instead of the contactless antenna for the PIV electronics. and they can even go further and have a PIV+Mifare+Prox card or PIV+Desfire+Prox card by putting a oldschool 125khz prox inlay inside as well (different frequencies, so no interference)

to the outsider or layperson it looks like your super-sexy PIV card is doing everything. In reality, it's the same old tech sandwiched in the middle of your PIV card.

not saying this is the case at NASA, i have no knowledge of their PIV deployment. But this is how it's done elsewhere.....

Take-Two Scenario

I wrote a paper on the state of RFID security a few years ago. I could write something insightful but I'll just summarise.
Low Power Requirements, Low Cost or Proper Security, pick two. That's the problem the industry faces and the reason we see flawed designs.

Re:Take-Two Scenario

I dont quite understand the low power goal. Unless the reader is battery powered, which it normally isn't, the consumption should only be limited by how much can be transmitted by the field. If that is true, then what good is a product that "saves power" by settling on an inferior algoritm?

Re:Take-Two Scenario

[Securityemo]

How are power requirements a problem?

Re:Take-Two Scenario

I'd imagine because increased power means more CPU power, which permits better crypto.

Re:Take-Two Scenario

[Securityemo]

I get that part, and that any signal-obfuscating electronics tricks might also draw power but (as the poster above also noted) I'd imagine the vast majority of readers for building access are not battery-driven - so why is it a problem rather than simply a requirement?

Re:Take-Two Scenario

I think the problem is that the card has to do computation and without a battery in the card, doing enough computation for secure crypto is not really possible.

Re:Take-Two Scenario

[swillden]

I think the problem is that the card has to do computation and without a battery in the card, doing enough computation for secure crypto is not really possible.

No, strong cryptography is not only possible but easy with or without a battery. AES is very efficient, and very strong.

The reason a battery is important is because it allows the chip to continuously monitor what's being done to it and to recognize patterns of usage that look like attacks and shut down (or even just slow down). When all power is provided by the attacker, the attacker has vastly increased ability to manipulate the operations of the chip, but cutting power at strategic moments, inducing faults by providing inadequate power, monitoring power consumption to see what can be learned from it, etc.

However, I don't think this news is all that interesting. The industry has known for a long time that Mifare Classic and its derivatives were weak, and DESfire was just a bandaid over an already-shaky system. The band-aid was applied not so that NXP could guarantee a round of planned obsolescence, but because customers demanded something that wouldn't require them to change their systems too much.

Re:Take-Two Scenario

[zippthorne]

If you need to use an oven magnetron to energize the cards, not many people are going to be receptive to using them for access to doors they use every day....

Re:I have the crack!

[codeAlDente]

I'm only reading this because I thought the article was about Milfware. Suddenly I'm less interested. On a related note, good thing there's no -1 "not funny" mod...

Enhanced safety because of it

[houghi]

[...] to opening doors in NASA facilities.

See that? FU HAL. FU and your stupid daisies.

Signed

Dave.

Just new cards, not new readers apparently

[Securityemo]

From the manufacturer's response:

To ensure that customers and partners receive products with the best performance and security NXP constantly improves its MIFARE portfolio with the concept of evolving platforms. While the underlying product hardware is upgraded in terms of its performance and security, we keep next generation products functionally backwards compatible to ensure that the infrastructure can adopt the new product evolution without major upgrades. In this way, our customers can take advantage of the new technology with minimum or no additional investment into their infrastructure. The benefits of this approach become apparent now, allowing our customers to migrate quickly and easily to MIFARE DESFire EV1, introduced in 2008 as the successor of MF3ICD40. The MIFARE DESFire EV1 is Common Criteria EAL 4+ certified and the research group at the Bochum University failed when attacking the card with non-invasive side-channel attacks.

As planned, NXP will discontinue the MIFARE DESFire MF3ICD40 as of December 31, 2011, and we recommend that our customers and partners migrate to MIFARE DESFire EV1 for existing and new systems.

This would at least seem to indicate that the customers can just purchase new cards.

We need more sales

[nurb432]

"Security widget X is working fine so no one is buying new ones".. "How about we say they are a security risk so everyone will upgrade"

Side chain attack

[pipedwho]

The summary poorly describes the real issue.

The encryption algorithm used in these cards is Triple DES. The 64 bit block cipher has not been cracked and still maintains approximately 80 equivalent bits of effective security with its 112 bit key.

However, the crack involves using a side chain attack and card profiling and allows the key to be retrieved within 3 to 7 hours. The attack is complicated, but has always generally suspected to be possible. Until now, no one had demonstrated and shown a detailed method to actually crack this type of card.

This is less of an immediate issue for security installations, as the systems are probably already backed with secondary verifiers (eg. biometrics, codes, etc) for high security requirements, and the access areas are probably counted in the low double digits. Not to mention that most 'security systems' seem to be composed mostly of security theatre anyway.

But, some systems using those cards are MUCH harder to retrofit (eg. electronic money/credit equivalents like metro systems, etc) where the infrastructure is highly diverse. And replacement would involve a massive process of card/reader swap outs, most likely with both systems operating in parallel for a time. Those systems also provide the most financial gain and lowest risk for criminal organisations if they can crack the security of the cards.

Re:Side chain attack

[Securityemo]

Yeah, but they state in their press release that the cards will be backwards-compatible.

Re:Side chain attack

[pipedwho]

Yeah, but they state in their press release that the cards will be backwards-compatible.

This is true, but if the keys have been compromised then they'll need to re-key the new cards. The old cards will still need to be usable for some period of time until all have been recalled/reimbursed. Keeping in mind that these implementations are symmetric key systems with common master keys, so the new cards will need new keys and the readers will need to handle both cards.

For systems designed while considering this failure mode, the problem should be correctable by using pre-stored secondary keys in the reader for all new card issues, and a recall/reissue of all cards over a few months. For systems that didn't consider this, the readers may all need to be physically visited so they can be reloaded with new firmware and master keys.

Interestingly, when consulting for a transport company around 10 years ago, we implemented a system that used the DESFire engine in the card to provide an extra layer of protection on top of existing cryptographic security. So both needed to be compromised to successfully attack the card. This was done by letting the reader perform a set of cryptographic MAC calculations and store the digest signed transactions on the card in the form of a log. To mitigate replay/reset style attacks the system provided transaction checks at the database whenever the readers were synchronised (daily or continuously depending on the installation location), and black-lists that are sent out on the next sync whenever an attack was detected.

Offline nodes with daily (or shift-worker clock on/off) based database synchronisation were limited to small amounts (eg. a bus fare). Nodes that allowed larger amounts (eg. supermarkets) were required to be online to authorise the transaction. This made card duplication a high risk, low gain endeavour.

The sad thing is that 'security' systems are a dime-a-dozen, and many fail in so many areas that a cracked DESFire card is the least of their problems. As any engineer experienced in this area can attest, security implementation is a minefield of potential failure modes.

This has somem history

[TESTNOK]

Here's a link to the earlier hack by German reseachers in PCworld , with links to video demonstration and paper of University of Virginia.

A similar hack on the same chip also in 2008 was published by Dutch researchers from Radboud Univeristy in Nijmgen, in the Netherlands. This case attracted additional attention because the company making the Mifare chip, NXP (formerly Phillips semiconductors), tried to block publication of the hack and was denied this in a Dutch court of law (security guru Schneier on this).

Even more recently, the " improved" system, but still using the same chip on the cards, was targeted by Dutch investigative journalist Brenno de Winter who was cleared from prosecution by a judge as recently as three weeks ago. His research showed that hacking was possible by using a freely available windows program (you-tubevideo of his sadly overly-long presentation at DefCon 16).

Last week it became public that the company responsible for the system, Trans Link Systems ( somewhat uninformative site) has silently been introducing cards using a different chip for two months now. It uses the Infineon SLE-66 chip (producer unknown to me; anyone?), that can have software installed. The software that was installed by TLS is to block any tampering. Dutch news site nu.nl has had such a card for two weeks and was not able to hack it with the currently known methods (their article, Dutch only, I'm afraid). Old cards are still in production until he end of the year for subscriptions (linked to personalized accounts) but the new cards are used for the anonymous day cards. Equipment of public transport personnel has been adapted to reveal hacking attempts.

So, the big question to all the security experts hovering around slashdot: how realistic is the claim that this card will prevent fraud? Let's be realistic and assume that it can eventually be hacked in the lab, but that practical application of this hack is not feasible. The interesting case is a hacking method that would make free transport available on a large scale, as is the case now.Can chip-installed software block such tampering attempts?

Or

[koan]

Release a security flaw to a 3rd party group then get all your customers to upgrade.

Re:Vulnerabilities known since years, but covered

wow. tell more. I work at WiSo.

Correction

Get your facts right. The 2008 attack was against MiFare Classic. The 2011 attack is against MiFare DESFire. These two are most definitely *not* the same chip.

Re:Correction

[TESTNOK]

Ah, I stand corrected. I guess I should have read further than "MiFare." Thanks for guarding the facts.

However, it shows that after the initial hacking, improvements were made (well, they probably would have brought out a newer version anyway, but I'm sure the hack was taken along in the development). Later, that improved chip was hacked (different hack, for not the same chip, as you point out). So, we can expect this new chip being used by TLS to be hacked again. I assume it's better, but so are the hack researchers. Should we expect a hack after a longer time period than before, or sooner?

Myki in Melbourne Australia

http://en.wikipedia.org/wiki/Myki
Love it, you're going down!

Re:I have the crack!

[Jane+Q.+Public]

I wanted to upgrade my own system to Milfware 3.0, but I was told that things are just a little too tight right now.

Clipper Card in Bay Area, Califonira

[ThatsMyNick]

Clipper card (the one accepted by most Bay Area Public Transport services) uses MiFare too. I remember looking up how strong it is, just a few months ago.

Re:Vulnerabilities known since years, but covered

[jonwil]

Companies who use the legal system to keep news about security holes in their product a secret really make me MAD.

Dutch public transport was hit and solved this

[dutchwhizzman]

Dutch public transport implemented a known weak and already hacked Mifare card. They announced just a few weeks ago they will be upgrading to a card system that has a unique key for every card issued. Even if you can hack a single card in 7 hours, fraud will be detected as soon as clones show up or the credit on the card is registered to be inconsistent with what's in the central database. The card will be invalidated and due to the Orwellian Dutch society, there will be camera pictures of the person trying to use it to get onto a platform once it's blocked.

I'm sure someone will find a way around this "limitation" sooner or later, but it appears it's commercially viable to buy cards with unique keys. All that is left now is for someone to find out a method to crack these cards in seconds, or to find out that someone was lazy and used an algorithm rather than randomness to create the keys. Once the amount of fraud and the ease to commit it increases above a threshold, going after the individuals doing it is no longer feasible.

But note that...

[yuhong]

This response may sound familiar.

But note that the MIFARE DESFire EV1 is older than the MIFARE Plus, and even with this crack it is nowhere nearly as bad as the MIFARE Classic designed in *1994*.

Re:But note that...

[yuhong]

And that:

In June 2010 we started to inform our direct customers and eco-system partners that we would discontinue the MF3ICD40 at the end of 2011.

Re:Vulnerabilities known since years, but covered

[yuhong]

From what I can read, this has nothing to do with the MIFARE DESFire, and everything to do with MIFARE Classic which is completely different.

I'll tell you what

Let me know when someone cracks Felica/Suica/EDY. Some people claimed to do it in 2006, but never released any proof or did any demonstration, and of course since then the technology has evolved. Unless Sony is hunting down crackers and shooting them in the head, it either hasn't been cracked or is hacked in veeeryyy secret status by people who don't want anyone else to know.

A link to the paper

[HonestButCurious]

http://www.emsec.rub.de/media/crypto/veroeffentlichungen/2011/10/10/desfire_2011_extended_1.pdf