The Dutch government has issued a warning about the security of access passes based on the widely used Mifare Classic RFID chip. This is the same technology used in London's Oyster fare card, whose security was under question only last week.
Dutch government institutions plan to take "additional security measures", Guusje ter Horst, minister of interior affairs, wrote in a letter to parliament this week.
NXP developed the Mifare Classic RFID (radio frequency identification) chip, which is used in two million Dutch building access passes, said ter Horst.
One billion passes with the technology have been distributed worldwide, making the security risk a global problem. A spokesperson for the ministry said that it had not yet notified other countries.
The warning comes shortly after two research teams independently demonstrated hacks of the chip's security algorithm.
German researchers Karsten Nohl and Henryk Plötz, who first hacked parts of the chip last December, published a paper demonstrating a way to crack the chip's encryption technology. The duo declined to publicly demonstrate their hack. "We want to start a discussion first, allowing people to adjust or abandon their systems," Nohl said. He added that he would provide a demonstration before June.
Then this week, Bart Jacobs, an information security professor at the Radboud University in Nijmegen, demonstrated a hack of the chip's security encryption. Jacobs had notified the security service prior to going public, which has since confirmed the hack. A video demonstration of the hack is scheduled for publication soon.
Criminals can use the hack to clone cards that use the Mifare Classic chip, allowing them to create copies of building access keys or commit identity theft.
The chip is used in payment systems worldwide, including Transport for London's Oyster card and the CharlieCard that is used on the Boston metro. Both offer payment systems that allow for wireless transactions.
In the Netherlands, the Mifare Classic chip has been at the centre of a national controversy since Nohl and Plötz first published their findings at the Chaos Computer Camp in Berlin last December.
The chip is the basis of a national proof-of-payment system for public transport. A recently published government-issued study by the Netherlands Organisation for Applied Scientific Research dismissed the potential security threat, claiming that hackers would take at least two years to crack the security codes.
A Transport for London spokesman insisted to Computerworld UK last week that Oyster has additional security systems in place. A spokesperson said: "The security of the Oyster system has never been breached and Londoners can have total confidence in the security of their Oyster cards."