Skip to content

Management

Technology

Toolbox

Training

Books

White Papers

Webcast

Resource Centre


ComputerworldUK CommunIT

Want to join the UK’s fastest growing dedicated IT community? Enter here to browse the UK’s top usergroups, societies and associations.

Mobile Applications & RFID technology > mobile & wireless > news

March 18, 2008

'Soldiers deployed' following RFID hack

Guards allegedly replace government key cards

By Sharon Gaudin

The University of Virginia's recent hack of the world's most popular RFID chip – the Mifare Classic from Philips subsidiary NXP Semiconductors – continues to create ripples around the globe.

Advert

Following a warning by the Dutch government over access cards to its buildings last weeks, reports have surfaced that one, as yet unidentified, European country has deployed soldiers to guard some government facilities that use the Mifare Classic chip in their smart door key cards.

Graduate student Karsten Nohl's success in breaking the Mifare encryption code with basic equipment has implications for between one and two billion smartcards, which are used both to open doors and in public transportation systems, including London's (with the Oyster fare card).

The hack is "a pretty huge deal", says Ken van Wyk, principal consultant with KRvW Associates. "There are a lot of these things floating around out there. Using it for building locks is the biggie, especially when it's used in sensitive government facilities. I know for a fact it's being used in sensitive government facilities."

It was Van Wyk who told Computerworld that one European country has brought in soldiers to guard some government facilities using the Mifare Classic chip in their smart door key cards.

"Deploying guards to facilities like that is not done lightly," he added. "They recognise that they have a huge exposure. They're not doing it because it's fun. They're safeguarding their systems." He declined to identify the European country.

Manuel Albers, a spokesman for NXP Semiconductors, said the company has confirmed some of Nohl's findings. However, he added there are no plans to take the popular chip off the market. He said its encryption was state-of-the-art when the chip was introduced in 1994 and was still fine for entry-level smartcards, like public transportation fare cards – which is mostly what it's used for.

Albers added that NXP had other, more secure, chips in its product portfolio these days, including the Mifare Plus.

Analyst van Wyke and codebreaker Nohl agree that the real problem lies in the cards that are used as door locks.

"I don't think people want to steal other people's bus tickets," said Nohl. "But think about chemical waste storage buildings or military facilities. The stakes are a lot higher. These cards are used around the world to secure high-level buildings. All these applications will suffer as soon as somebody with criminal intent finds the details that we have."

Nohl explained that since the Mifare Classic smart cards use a radio chip, he can easily scan them for information in a matter of minutes. If someone came out of a building, carrying a smart card door key, he could walk past them with a laptop and scanner in a backpack or bag and scan their card. He also could walk past the door and scan for data from the reader.

He would have enough information to find the cryptographic key and duplicate a smartcard to open the door.

Follow highlights from ComputerworldUK on Twitter
Sign up for our Daily Newsletter
The UK IT News widget Get it for your site!

« prev article | more mobile & wireless news | next article »

Advert

close

Email this article to a friend or colleague:




PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

close
  • This article is now being printed.
close

What are your views on this subject? Use the form below to post a comment on this article up to 1000 characters.


Characters remaining:

close

Click below to add ''Soldiers deployed' following RFID hack - Mobile Applications & RFID - ComputerworldUK' to your blog.



If you do not have a ComputerworldUK Account and would like to use this feature, please Register.

If you are a registered, logged-in user, this will post the title and first paragraph of this story to your blog to share with your readers.

What is this?

Comments received

Bob said on Tuesday, 18 March 2008

I think they need to provide shielded card sleeves to users when they ship these cards. Much like the ones you can by from Identity Stronghold at www.idstronghold.com

Advert

WHITE PAPERS

  • Legal risks: Employee use of the internet and email
    Exploring the challenges facing IT Mangers today and vital steps to ensure safe internet an email use by employees.
  • Phishing for victims
    This White Paper examines the phenomenon of phishing. It explains the potentially catastrophic threat it presents to all kinds of organisation. Exploding some widespread myths, it lights up the murky waters where phishing first emerged and where it continues to evolve. But it also highlights what your business can do to blunt the threat.
  • Challenges and opportunities of PCI
    The control framework implicit in the Payment Card Industry Data Security Standard (PCI DSS) provides an enterprise structure for improving operational, security, and audit performance.
  • Social CRM comes of age
    Who is this “social customer”? What strategies and tools does the new breed of CRM provide to do something about this?
  • Risk Management: Protect and Maximize Stakeholder Value
    What has held organisations back from a broader adoption of risk management programs?
*