Vulnerabilities in the Mifare Classic RFID system confirmed
The operators of the nationwide payment system for Dutch urban transit, Trans Link Systems (TLS), has published excerpts from a previously secret security analysis of the Mifare Classic contactless payment system. In the report, analysts from Dutch firm TNO came to the conclusion that both the vulnerabilities and the attacks made known late last year are feasible. Mifare Classic is currently the most widespread RFID payment system in use. According to estimates, billions of the chips are in use worldwide, mainly in college refectories and contactless ride and entry tickets.
The TLS is switching its payment system from OV-Chipkaart to Mifare Classic. So far it is only in widespread use in certain metropolitan areas such as Rotterdam and Amsterdam. The TNO analysts do not yet see the switch to a secure system as urgent. Their recommendation is for the TLS to introduce the Mifare System in all service areas as planned within the course of the year. Switching to another system is not considered necessary until there is evidence of systematic fraud. The TNO analysts believe this will occur within two years.
The ball was set rolling when a group of researchers in the Chaos Computer Club scene presented the results of their hardware analysis of the Mifare Classic chip at the 24C3 hacker conference last December. That made public for the first time the functional principle of the secret Crypto1 encryption key, as well as various attacks against glaring vulnerabilities in the encryption and the random number generator. The access key for a card can be cracked within minutes on a PC and, with the help of special hardware, within seconds.
Researchers at the Radboud Universiteit Nijmegen claim to have made further progress in cracking the secret access keys. According to them, it is now possible to determine the access key of a Mifare Classic chip card in a short time without any expensive equipment, merely by using manipulated read attempts and a pre-calculated table. Their work is based in the findings of the CCC members, but due to "the sensitive nature of the matter" the Dutch researchers did not wish to comment further to heise Security on what distinguished their attack from previous methods.
For their part, Dutch Mifare manufacturer NXP has still not officially confirmed the vulnerabilities of the Classic variant of their product. However, it has announced the planned release in late 2008 of the improved Mifare Plus chip variant which is compatible with the Mifare Classic. Supposedly, its encryption is not based on the now cracked encryption process, but on the still secure AES-128 algorithm. NXP is planning for EAL-4+ security certification through BSI for the Mifare Plus chip.
Some reports on the topic in recent weeks have referred erroneously to a "smart card hack". Even NXP sometimes refers to the Mifare chip as a "smart card". In response, the Smart Card Alliance felt compelled to issue a statement that contactless smart cards are not affected by the Mifare vulnerability and are still secure. Unlike Mifare chips, smart cards are actually memory cards that also contain a microprocessor and a mini operating system for encryption and signature functions. Typical uses are home banking, credit cards, cash cards, pay television and mobile phone SIM cards.
- Security Analysis of the Dutch OV-Chipkaart, TNO analysis of Mifare security
- Mifare – Little Security, Despite Obscurity, presentation at the 24C3 conference
- Dismantling contactless smartcards, summary of the Radboud Universiteit findings