Another RFID smart card vulnerability exposed
MBTA
Just two months after a judge barred a group of MIT students from disclosing vulnerabilities discovered in Boston's CharlieCard fare collection system, another group, this time from the Netherlands, has published instructions for cracking the cryptographic cypher used to secure the world's most popular transit system smart card.
The Dutch team of researchers presented the results [PDF] of their experiments with NXP Semiconductor's Mifare Classic card at the Esorics security conference Monday in Malaga, Spain. As a Dutch affiliate of Infoworld reports, the team created a device to analyze the communication between the Mifare card and a reader. They then identified partial strings of the code given off by the reader as part of its digital handshake with the card, opening the door to cracking the cypher. It all sounds like something from the current season of Prison Break[Hulu], if you ask me.
As the MBTA did in the MIT students' case, NXP sued to prevent the group from making their findings public, but a judge didn't bite because the "University acted with due care, warning stakeholders early on," and because the "damage is not [a] result of publication, but of apparent deficiencies in cards," according to the Dutch team's presentation.
Ars Technica points out that NXP didn't stand by idly as their security protocols were breached. They introduced a new generation of cards that uses a much longer encryption code – one that's more difficult to crack. But because of the old system's popularity – Mifare cards make up 85 percent of the smart card market – NXP is giving the new cards backward compatibility with old readers. That, the site argues, makes the upgrade "an uncertain security replacement at best."
When the Monitor covered the MIT students' hack of the Boston CharlieCard system in August, it quoted senior security consultant Mike Davis of San Francisco's IOActive: "I'll predict for you that within a couple of months someone will reproduce the attack, whether or not the details were released.... The obscurity we relied on to protect these systems are just assumptions people have made." That prediction appears to have come true.