Mar 14, 2008This article was originally published by RFID Update.
March 14, 2008—In what has become a twice-annual event, this week saw yet another very public assertion of vulnerability in the security of RFID. Specifically, the Dutch government issued a warning that MIFARE Classic RFID chips from NXP can be hacked relatively easily. MIFARE is a family of chips that are used in contactless public transport tickets in cities like London, Hong Kong, and Boston, as well as building access cards. There are an estimated one billion MIFARE chip-equipped cards in worldwide circulation.
The vulnerability essentially allows a hacker to clone contactless cards based on the MIFARE Classic. Two separate research teams contributed to the discovery, according to PC World: German researchers at the University of Virginia published a paper about cracking the chip's cryptographic algorithm, then a Dutch team from Radboud University actually executed the hack. The Dutch team has posted a web page chronicling the project, complete with a video clip that dramatizes a hacker team cloning an unwitting professor's ID card.
This RFID exploit seems more ominous than others, which were theoretical and sensationalized (see New RFID Passport Scare -- Does it Matter? and The Industry Reacts to RFID Virus Research). The fact that the Dutch government has publicly addressed the vulnerability is a testament to how seriously it is being taken. A further testament is NXP's release of the MIFARE Plus just days ago, a new chip product which "offers easy upgrades from MIFARE Classic" and "has been designed from the ground up to address the security and privacy needs of the 21st century." While NXP did not officially concede the viability of the hacks, its prompt product upgrade release appears to be a tacit acknowledgement of the MIFARE Classic's shortcomings.
The cause for alarm is twofold: that the hack is relatively easy and cheap, and how widely deployed around the world the MIFARE Classic is. According to the Radboud University team: "This type of card is used for the Dutch 'OV-chipkaart' [the RFID card for public transport throughout the Netherlands] and public transport systems in other countries (for instance the subway in London and Hong Kong). MIFARE cards are also widely used as company cards to control access to buildings and facilities. All this means that the flaw has a broad impact. Because some cards can be cloned, it is in principle possible to access buildings and facilities with a stolen identity. This has been demonstrated on an actual system."
The stopgap measure being advocated for administrators who believe their MIFARE-based systems could be vulnerable is that they put supplemental security in place.
The long term impact of this hack on the public's perception of RFID security is unclear. It will likely depend on the extent to which nefarious hackers exploit the vulnerability.
