24C3 Mifare Crypto1 RFID Completely Broken

Another highlight for us at CCC was [Karsten Nohl] and [Henryk Plötz] presenting how they reversed Philips crypto-1 “classic” Mifare RFID chips which are used in car keys, among other things. They analyzed both the silicon and the actual handshaking over RF. Looking at the silicon they found about 10K gates. Analyzing with Matlab turned up 70 unique functions. Then they started looking “crypto-like” parts: long strings of flip-flops used for registers, XORs, things near the edge that were heavily interconnected. Only 10% of the gates ended up being crypto. They now know the crypto algorithm based on this analysis and will be releasing later in the year.

The random number generator ended up being only 16-bit. It generates this number based on how long since the card has been powered up. They controlled the reader (an OpenPCD) which lets them generate the same “random” seed number over and over again. This was actually happening on accident before they discovered the flaw.

One more broken security-through-obscurity system to add to the list. For more fun, watch the video of the presentation.

22 thoughts on “24C3 Mifare Crypto1 RFID Completely Broken

  1. Now this is a real hack! I am so glad people like this are making sure that our technology is not being abused or misused. RFID is a controversial topic, and the fact that implementing proper crypto is very cost-prohibitive might win some people over to being agianst them.

  2. that was a great video, I can’t wait to see what comes of this. It is interesting to see that most of the problems are not related to technological limits but the limits of the designers and their intelligence.

  3. Interesting presentation, but sadly a couple of wrong statements. For one thing, these chips are not used in car keys. But I guess it is just more sexy to add some spice to the story rather than simply staying with the facts. It would have been a good achievement even without all these false statements.

  4. We realized only after the talk that the car keys use a variant of the same crypto; at least they did in the past. Weaknesses that arise through the insufficient key length and weak cryptographic structure apply equally.

  5. Interesting presentation, what does it exactly can I do with this information? Can I ride the tube for free? and Is there a possible copyright infringement happening here?

  6. @ monica: For now they have not hacked the entire card including secret keys etc, but even if they had, the most this would give is indeed a – single – free ride. I would imagine that what is called the “back office” of the system operator will pick up that there is a 2nd card around and will put it on a black list. Both cards, actually. So neither will work in the future. This is not economical for hackers to do (nor is it for the owner of the original card). So, as always in security systems, you have to look at the entire system for a proper security assessment. In transport it makes much more (economical) sense to place most of the security in the back office and only use cheap cards with relatively little security on them in the field. Otherwise we would all be paying more for each subway ride, and who wants that? :-)

  7. @dontwantto: In principle, yes, even the full disclosure of the algorithm (and hence a fast possibility to crack the keys) should, in a properly designed system, ‘only’ yield the possibility to clone cards. However, the dutch transport system for example (OV-chipkaart) has readers in disconnected operation, so the back office *can’t* see anything until the end of the day. And in the past even simpler exploits against the unencrypted mifare ultralight cards were possible, see http://staff.science.uva.nl/~delaat/sne-2006-2007/p41/report.pdf

  8. @monica: copyright infringement… I believe the algorithm used in these chips is protected by trademarks. Companies often do this to protect themselves against competitors and illegal clones made in, e.g., China. So, the “security by obscurity” referred to in the presentation is mostly a commercial measure. But it does have the down-side of not having been peer-reviewed, fair enough.

    @karsten: You might indeed want to watch out for being sued for infringing trademark secrets here – the US is particularly nasty in this respect. It is not at all the same as academically showing how to hack an open standardized system. I seem to recall that a few years ago somebody was busted right from the stage where he gave his crypto presentation (in the US).

  9. Well done, but you have broken 10 years old chip with a poor pseudo RNG inside. Would be more impressive trying to hack some of the recent nxp smart cards. Don’t believe the “kitchen” approach would work there.

  10. rng,

    It may be a ten year old card, but it’s being deployed *today* in new public transit systems and other places.

    Why don’t you take the next step and break the nxp cards yourself? :)

    A.

  11. @Karsten: The legal side of your case is starting to intrigue me. In your presentation you clearly stated that your findings on the Mifare Classic chip mean that the Philips car key chips are not secure any longer and that people should start migrating. This is a wrong statement. (It does not matter whether those car key chips are weak too or not.) Now, should Philips find that the sales of their car key chips are declining in the wake of the current media attention – something that is not unlikely to happen – then they will come back to you and sue you for compensation. Given that this is a multi-million dollar business for them, they are likely to sue you for many millions of dollars. And since you have named your University as affiliation in your presentation, it can be sued as well now, and that would be the US, where big money can be sued for. All this may take many years, but I am afraid that Philips will win. This is a clear-cut case. You gave them all the arguments they need on a silver plate. So you should consider your next steps rather carefully. Well, you have my sympathy.

  12. Alex,
    It is clear that a ten years old chip is completely outdated and does not meet the today’s security standards, but for public transit systems or for identification of people, counting animals, pay in the canteen and … many more…. is still good enough. There are many applications where you don’t need such a high level of accuracy. Of course, for banking cards or for the new smart passports these ten years old chips are not applicable and you’ll have to spend more money to buy some of the latest generation smart cards – security has its price.
    I don’t underestimate the work presented here. I just say that breaking such an old chip it is not a big breakthrough and the effort is not paid back. Again, the hacking method presented here would be quite feeble if applied on the recent nxp smart cards.

  13. “i seem to recall that a few years ago somebody was busted right from the stage where he gave his crypto presentation (in the us).”

    So the cops who busted this person understood cryptography enough to make the arrest confidently? I find that terribly hard to believe.

    What would be funny would be to present mathematical mumbo-jumbo, get arrested by some stupid thug cops who were rented by a company (who else would arrest someone without knowing why), and the sue their sorry asses for wrongful arrest and hopefully make some cash in the process.

  14. Hi, probably you do not known about, but Google Video as a video archive has an end … It would be very wrong to let these videos delete it, Google wants to enhance their hard drive:)

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.