Now this is a real hack! I am so glad people like this are making sure that our technology is not being abused or misused. RFID is a controversial topic, and the fact that implementing proper crypto is very cost-prohibitive might win some people over to being agianst them.

Posted at 1:00 am on Jan 2nd, 2008 by Tom

I sure am glad I don’t own a car anymore.

Posted at 3:28 pm on Jan 2nd, 2008 by JSG

that was a great video, I can’t wait to see what comes of this. It is interesting to see that most of the problems are not related to technological limits but the limits of the designers and their intelligence.

Posted at 10:00 pm on Jan 2nd, 2008 by paige

stop saying on accident. it’s _by_ accident, or _on_ purpose. i command thee. vote quimby.

Posted at 4:32 pm on Jan 4th, 2008 by GRAMMAR NAZI

Interesting presentation, but sadly a couple of wrong statements. For one thing, these chips are not used in car keys. But I guess it is just more sexy to add some spice to the story rather than simply staying with the facts. It would have been a good achievement even without all these false statements.

Posted at 11:05 am on Jan 6th, 2008 by dontwantto

We realized only after the talk that the car keys use a variant of the same crypto; at least they did in the past. Weaknesses that arise through the insufficient key length and weak cryptographic structure apply equally.

Posted at 11:50 am on Jan 7th, 2008 by karsten

Interesting presentation, what does it exactly can I do with this information? Can I ride the tube for free? and Is there a possible copyright infringement happening here?

Posted at 3:31 pm on Jan 7th, 2008 by Monica V

@ monica: For now they have not hacked the entire card including secret keys etc, but even if they had, the most this would give is indeed a - single - free ride. I would imagine that what is called the “back office” of the system operator will pick up that there is a 2nd card around and will put it on a black list. Both cards, actually. So neither will work in the future. This is not economical for hackers to do (nor is it for the owner of the original card). So, as always in security systems, you have to look at the entire system for a proper security assessment. In transport it makes much more (economical) sense to place most of the security in the back office and only use cheap cards with relatively little security on them in the field. Otherwise we would all be paying more for each subway ride, and who wants that?

Posted at 5:57 am on Jan 8th, 2008 by dontwantto

@dontwantto: In principle, yes, even the full disclosure of the algorithm (and hence a fast possibility to crack the keys) should, in a properly designed system, ‘only’ yield the possibility to clone cards. However, the dutch transport system for example (OV-chipkaart) has readers in disconnected operation, so the back office *can’t* see anything until the end of the day. And in the past even simpler exploits against the unencrypted mifare ultralight cards were possible, see http://staff.science.uva.nl/~delaat/sne-2006-2007/p41/report.pdf

Posted at 7:13 am on Jan 8th, 2008 by Henryk Plötz

@monica: copyright infringement… I believe the algorithm used in these chips is protected by trademarks. Companies often do this to protect themselves against competitors and illegal clones made in, e.g., China. So, the “security by obscurity” referred to in the presentation is mostly a commercial measure. But it does have the down-side of not having been peer-reviewed, fair enough.

@karsten: You might indeed want to watch out for being sued for infringing trademark secrets here - the US is particularly nasty in this respect. It is not at all the same as academically showing how to hack an open standardized system. I seem to recall that a few years ago somebody was busted right from the stage where he gave his crypto presentation (in the US).

Posted at 7:22 am on Jan 8th, 2008 by dontwantto

Well done, but you have broken 10 years old chip with a poor pseudo RNG inside. Would be more impressive trying to hack some of the recent nxp smart cards. Don’t believe the “kitchen” approach would work there.

Posted at 11:35 am on Jan 8th, 2008 by rng

rng,

It may be a ten year old card, but it’s being deployed *today* in new public transit systems and other places.

Why don’t you take the next step and break the nxp cards yourself?

A.

Posted at 9:28 am on Jan 9th, 2008 by alexlh

@Karsten: The legal side of your case is starting to intrigue me. In your presentation you clearly stated that your findings on the Mifare Classic chip mean that the Philips car key chips are not secure any longer and that people should start migrating. This is a wrong statement. (It does not matter whether those car key chips are weak too or not.) Now, should Philips find that the sales of their car key chips are declining in the wake of the current media attention - something that is not unlikely to happen - then they will come back to you and sue you for compensation. Given that this is a multi-million dollar business for them, they are likely to sue you for many millions of dollars. And since you have named your University as affiliation in your presentation, it can be sued as well now, and that would be the US, where big money can be sued for. All this may take many years, but I am afraid that Philips will win. This is a clear-cut case. You gave them all the arguments they need on a silver plate. So you should consider your next steps rather carefully. Well, you have my sympathy.

Posted at 4:01 am on Jan 10th, 2008 by dontwantto

Alex,
It is clear that a ten years old chip is completely outdated and does not meet the today’s security standards, but for public transit systems or for identification of people, counting animals, pay in the canteen and … many more…. is still good enough. There are many applications where you don’t need such a high level of accuracy. Of course, for banking cards or for the new smart passports these ten years old chips are not applicable and you’ll have to spend more money to buy some of the latest generation smart cards - security has its price.
I don’t underestimate the work presented here. I just say that breaking such an old chip it is not a big breakthrough and the effort is not paid back. Again, the hacking method presented here would be quite feeble if applied on the recent nxp smart cards.

Posted at 7:03 am on Jan 10th, 2008 by rng

NXP responded today. Seems to use AES, does anyone know the implications of the hack on Mifare Plus? http://www.nxp.com/news/content/file_1418.html

Posted at 9:27 pm on Mar 11th, 2008 by Salvatore D\'Agostino

“i seem to recall that a few years ago somebody was busted right from the stage where he gave his crypto presentation (in the us).”

So the cops who busted this person understood cryptography enough to make the arrest confidently? I find that terribly hard to believe.

What would be funny would be to present mathematical mumbo-jumbo, get arrested by some stupid thug cops who were rented by a company (who else would arrest someone without knowing why), and the sue their sorry asses for wrongful arrest and hopefully make some cash in the process.

Posted at 11:04 pm on Apr 1st, 2008 by James