negz
2008-09-12, 14:08
http://www.youtube.com/watch?v=NW3RGbQTLhE
http://www.ru.nl/ds/research/rfid/
Security Flaw in Mifare Classic
On March 7, 2008, research by the Digital Security group has revealed a security vulnerability in Mifare Classic RFID chips, the most commonly used type of RFID chip worldwide, that affects many applications using Mifare Classic.
We have demonstrated that the proprietary CRYPTO1 encryption algorithm used on these cards allows the (48 bit) cryptographic keys to be relatively easily retrieved. Especially for RFID applications where the same common shared key is used on all RFID cards and card readers, which may be the case for instance in access control to buildings, this constitutes a serious risk.
This attack recovers the secret key from the MIFARE reader. To mount the attack we first need to gather a modest amount of data from a genuine reader. With this data we can compute, off-line, the secret key. Recovering the secret key is as efficient as a look-up operation on a table. Our attack is much more efficient than an exhaustive search over the whole 48 bit key space. We have implemented and executed this attack in practice, and managed to recover the secret key within minutes.
The research will be published in proceedings of the Esorics conference in the beginning of october. NXP has tried to obtain a court injunction against publiation. But the judge ruled against NXP on july 18, see the university press release (English and Dutch) and the court ruling (in Dutch only).
The movie below shows a demonstration of the attack on the access control system for our university building.
Two German hackers, Karsten Nohl and Henryk Plötz have also been reverse engineering the CRYPTO1 algorithm. Their presentation at CCC is available online and contributed to our understanding of CRYPTO1.
All this demonstrates, once again, the dangers of relying on 'security by obscurity', keeping the design of a system secret and relying on this to keep the system secure. As all experts in the field agree, a better approach is the Kerckhoffs principle: making the design of a system public so that it can be openly evaluated and scrutinised by experts, and only relying on the secrecy of the cryptographic keys for the security. The principle is named after the Dutch cryptographer Auguste Kerckhoffs, who first published this idea in 1833. Our Computer Security Master track is named after him.
Dutch public transport cards (the 'ov chip card')
Mifare chips are used in the RFID cards for public transport that are being introduced in the Netherlands, the 'ov-chipkaart'. Mifare Classic is used in the subscription ov-cards, but the protocol involved is more complicated than in the building access control system demonstrated above, and we have not been able to demonstrate an attack on this system.
An earlier attack by Roel Verdult, student at the Radboud University, demonstrated the possibility of cloning disposable RFID public transport cards. These disposable cards use the more basic Mifare Ultralight chips rather than the Mifare Classic chips.
In January 2008 the Dutch government commissioned TNO to evaluate the security of the ov-chip card. Unfortunately, this report is not public. (The very short public excerpt, also available in Dutch, only contains one page summary of the main conclusions without the supporting motivation.) This means we cannot judge if the report's conclusions are valid, or if our new research undermines its conclusions. We can only observe that the cost of the hardware required for an attack is much cheaper than the report claims, as we spent a lot less than $9000.
We have started a wiki on the use of RFID for mass public transport, not only to collect information on technical and privacy issues of the existing Dutch system - without the media hype and the associated inaccurate claims -, but also to collect ideas about better ways to design such systems, in an open and transparent fashion.
At this stage we have no technical solutions (but we are talking to NXP) to the vulnerabilities that have emerged in Mifare Classic cards for access control. All we can offer is a quick scan service to assess the situation in particular cases.
Press Releases
Our own press release in English and in Dutch.
Erratum: the Hong Kong subway does not use Mifare, as we claimed in our press release
Statement by the Dutch Minister of internal affairs (in Dutch).
NXP's information for end users of Mifare Classic chips and systems integrators.
Talks
Bart Jacobs, Smart Cards in Public Transport: the Mifare Classic Case, Talk at Grand Opening of Eindhoven Institute for the Protection of Systems and Information EIPSI, Eindhoven, 22/4/08.
Media Coverage (incomplete)
Toegangspas overheidsgebouwen gekraakt (Volkskrant)
Toegangspas overheidsgebouwen gekraakt (nu.nl)
Security card chip can be hacked (Associated Press)
Beveiliging ministeries in gevaar na nieuwe chipkraak (Trouw)
Toegangspasjes gekraakt (Gelderlander)
Universiteit kraakt toegangspassen ministeries (Elsevier)
Techniek goed, klant fout (AD)
Chip overheidsgebouwen gekraakt (RTL Nieuws)
Chip toegangspassen overheid gekraakt (RTL Nieuws)
RFID-Hack Hits 1 Billion Digital Access Cards Worldwide (PCWorld)
Miljoenen toegangspassen fraudegevoelig (NOS)
Security Card Chip Can Be Hacked (New York Times)
Ook Nijmeegse universiteit kraakt Mifare (Bits&Chips)
Waar gaan we naartoe? (NRC)
Mifare-chips eenvoudig volledig te kraken (Tweakers)
London Tube Smartcard Cracked (Bruce Schneier's Blog)
RFID Cards Hacked (Technology News Daily)
So long Mifare RFID system (HR Geeks)
De kick van de graal (ScienceGuide)
Oyster card cloning fears (This is London)
AIVD beziet extra beveiliging toegangspasjes (nu.nl)
Schwächen des RFID-Systems Mifare Classic bestätigt
http://www.ru.nl/ds/research/rfid/
Security Flaw in Mifare Classic
On March 7, 2008, research by the Digital Security group has revealed a security vulnerability in Mifare Classic RFID chips, the most commonly used type of RFID chip worldwide, that affects many applications using Mifare Classic.
We have demonstrated that the proprietary CRYPTO1 encryption algorithm used on these cards allows the (48 bit) cryptographic keys to be relatively easily retrieved. Especially for RFID applications where the same common shared key is used on all RFID cards and card readers, which may be the case for instance in access control to buildings, this constitutes a serious risk.
This attack recovers the secret key from the MIFARE reader. To mount the attack we first need to gather a modest amount of data from a genuine reader. With this data we can compute, off-line, the secret key. Recovering the secret key is as efficient as a look-up operation on a table. Our attack is much more efficient than an exhaustive search over the whole 48 bit key space. We have implemented and executed this attack in practice, and managed to recover the secret key within minutes.
The research will be published in proceedings of the Esorics conference in the beginning of october. NXP has tried to obtain a court injunction against publiation. But the judge ruled against NXP on july 18, see the university press release (English and Dutch) and the court ruling (in Dutch only).
The movie below shows a demonstration of the attack on the access control system for our university building.
Two German hackers, Karsten Nohl and Henryk Plötz have also been reverse engineering the CRYPTO1 algorithm. Their presentation at CCC is available online and contributed to our understanding of CRYPTO1.
All this demonstrates, once again, the dangers of relying on 'security by obscurity', keeping the design of a system secret and relying on this to keep the system secure. As all experts in the field agree, a better approach is the Kerckhoffs principle: making the design of a system public so that it can be openly evaluated and scrutinised by experts, and only relying on the secrecy of the cryptographic keys for the security. The principle is named after the Dutch cryptographer Auguste Kerckhoffs, who first published this idea in 1833. Our Computer Security Master track is named after him.
Dutch public transport cards (the 'ov chip card')
Mifare chips are used in the RFID cards for public transport that are being introduced in the Netherlands, the 'ov-chipkaart'. Mifare Classic is used in the subscription ov-cards, but the protocol involved is more complicated than in the building access control system demonstrated above, and we have not been able to demonstrate an attack on this system.
An earlier attack by Roel Verdult, student at the Radboud University, demonstrated the possibility of cloning disposable RFID public transport cards. These disposable cards use the more basic Mifare Ultralight chips rather than the Mifare Classic chips.
In January 2008 the Dutch government commissioned TNO to evaluate the security of the ov-chip card. Unfortunately, this report is not public. (The very short public excerpt, also available in Dutch, only contains one page summary of the main conclusions without the supporting motivation.) This means we cannot judge if the report's conclusions are valid, or if our new research undermines its conclusions. We can only observe that the cost of the hardware required for an attack is much cheaper than the report claims, as we spent a lot less than $9000.
We have started a wiki on the use of RFID for mass public transport, not only to collect information on technical and privacy issues of the existing Dutch system - without the media hype and the associated inaccurate claims -, but also to collect ideas about better ways to design such systems, in an open and transparent fashion.
At this stage we have no technical solutions (but we are talking to NXP) to the vulnerabilities that have emerged in Mifare Classic cards for access control. All we can offer is a quick scan service to assess the situation in particular cases.
Press Releases
Our own press release in English and in Dutch.
Erratum: the Hong Kong subway does not use Mifare, as we claimed in our press release
Statement by the Dutch Minister of internal affairs (in Dutch).
NXP's information for end users of Mifare Classic chips and systems integrators.
Talks
Bart Jacobs, Smart Cards in Public Transport: the Mifare Classic Case, Talk at Grand Opening of Eindhoven Institute for the Protection of Systems and Information EIPSI, Eindhoven, 22/4/08.
Media Coverage (incomplete)
Toegangspas overheidsgebouwen gekraakt (Volkskrant)
Toegangspas overheidsgebouwen gekraakt (nu.nl)
Security card chip can be hacked (Associated Press)
Beveiliging ministeries in gevaar na nieuwe chipkraak (Trouw)
Toegangspasjes gekraakt (Gelderlander)
Universiteit kraakt toegangspassen ministeries (Elsevier)
Techniek goed, klant fout (AD)
Chip overheidsgebouwen gekraakt (RTL Nieuws)
Chip toegangspassen overheid gekraakt (RTL Nieuws)
RFID-Hack Hits 1 Billion Digital Access Cards Worldwide (PCWorld)
Miljoenen toegangspassen fraudegevoelig (NOS)
Security Card Chip Can Be Hacked (New York Times)
Ook Nijmeegse universiteit kraakt Mifare (Bits&Chips)
Waar gaan we naartoe? (NRC)
Mifare-chips eenvoudig volledig te kraken (Tweakers)
London Tube Smartcard Cracked (Bruce Schneier's Blog)
RFID Cards Hacked (Technology News Daily)
So long Mifare RFID system (HR Geeks)
De kick van de graal (ScienceGuide)
Oyster card cloning fears (This is London)
AIVD beziet extra beveiliging toegangspasjes (nu.nl)
Schwächen des RFID-Systems Mifare Classic bestätigt