How they hacked it: The MiFare RFID crack explained
A look at the research behind the chip compromise
Computerworld - Last month, the Dutch government issued a warning about the security of access keys based on the ubiquitous MiFare Classic RFID chip. The warning comes on the heels of an ingenious hack, spearheaded by Henryk Plotz, a German researcher, and Karsten Nohl, a doctoral candidate in computer science at the University of Virginia, that demonstrated a way to crack the encryption on the chip.
Millions upon millions of MiFare Classic chips are used worldwide in contexts such as payment cards for public transportation networks throughout Asia, Europe and the U.S. and in building-access passes.
The report asserts that systems employing MiFare will likely be secure for another two years, since hacking the chip seems to be an involved and expensive process. But in a recent report published by Nohl, titled "Cryptanalysis of Crypto-1," he presents an attack that recovers secret keys in mere minutes on an average desktop PC.
In December, Nohl and Plotz gave a presentation on MiFare's security vulnerabilities at the 24th Chaos Communications Congress (24C3), the annual four-day conference organized by Germany's notorious hacking collective, the Chaos Computer Club (CCC). Thousands of hackers from far-flung locales converged on Berlin between Christmas and New Year's for a raft of talks and project demonstrations.
In their popular talk at 24C3, punctuated by bursts of raucous applause, Nohl presented an overview of radio frequency identification security vulnerabilities and the process of hacking the MiFare chip's means of encryption, known as the Crypto-1 cipher. "This is the first public announcement that the Crypto-1 cipher on the MiFare tag is known," said Nohl in December at the 24C3 talk. "We will give out further details next year."
Get out the microscopes
To hack the chip, Nohl and Plotz reverse-engineered the cryptography on the MiFare chip through a painstaking process. They examined the actual MiFare Classic chip in exacting detail using a microscope and the open-source OpenPCD RFID reader and snapped several in-depth photographs of the chip's architecture. The chip is tiny -- about a 1-millimeter-square shred of silicon -- and is composed sed of several layers.
The researchers sliced off the minuscule layers of the chip and took photos of each layer. There are thousands of tiny blocks on the chip -- about 10,000 in all -- each encoding something such as an AND gate or an OR gate or a flip-flop.
Analyzing all of the blocks on the chip would have taken forever, but there was a shortcut. "We couldn't actually look at all 10,000 of these small building blocks, so we wanted to categorize them a bit before we started analyzing," said Nohl at 24C3. "We observed that there aren't actually 10,000 different ones. They're all taken from a library of cells. There are only about 70 different types of gates; we ended up writing MATLAB scripts that once we select one instance of a gate finds all the other ones."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts