Nohl and his team initiated the project to test the security used on the Classic chip because the researchers believed the cryptography was weak—but just how weak the cryptography turned out to be a surprise, he said. Nohl added that in reaction to the successful break of the Classic chip's cryptography, a Dutch transit organization has delayed its plans to issue transit cards with the chip as part of a new $3 billion national transit fare system for its subways and buses.
The second team of researchers to illustrate that the Classic chip can be cloned is from
Radboud University in Nijmegen, the Netherlands. This group released a
video demonstration in which a key card containing a Mifare chip was repeatedly cloned. This video shows an unauthorized party using the cloned chip to grant access to a building. The Associated Press reported that in reaction to the researcher's findings, Guusje ter Horst, the Dutch interior affairs minister, wrote a letter to the country's parliament stating she was preparing supplemental security measures for some government buildings. In addition, according to a
Computerworld news article, data-security analyst Ken van Wyk, principal at
KRvW Associates, says one European country, which he would not identify, has dispatched security guards to provide supplemental security at some of its government facilities that use access control cards containing the MiFare Classic chip.
NXP issued a statement on March 6 to address initial news reports of the successful hacks. In it, the company said it had begun discussions with the researchers and was working to determine countermeasures that implementers of access or fare systems that use the Classic chip could take to stem the likelihood of abuse of the chip's security. The statement also noted that the Mifare Classic chip is not used in RFID tags incorporated in e-passports or banking cards.
The company made a second statement on March 12, in which it referenced ter Horst's letter and confirmed that in addition to its adoption in transit applications, the Class chip is also used in a "considerable number" of access-control applications. (The Classic chip, ter Horst said, is used in 2 million access passes for Dutch buildings—some of them government offices.)
On its
Mifare.net Web site, NXP posted open letters to both
end users of the chips (such as transit or building security operators) and the
systems integrators who install fare-collection or access-control systems. In the letters, the company called on end users and systems integrators to work together in determining how users might add additional security measures to their back-end systems to thwart attacks.
NXP also noted, in the letters, that it is not in the business of dictating or directing the security measures end users may build around its products: "NXP's expertise is the design and manufacturing of chips," the company indicated. "We do not design end-to-end security systems, as this is typically the responsibility of the system integrator."
THE WORLD'S RFID AUTHORITY
PREMIUM = Requires Subscription. Learn More
