The University of Virginia's recent hack of the world's most popular RFID chip – the Mifare Classic from Philips subsidiary NXP Semiconductors – continues to create ripples around the globe.
Following a warning by the Dutch government over access cards to its buildings last weeks, reports have surfaced that one, as yet unidentified, European country has deployed soldiers to guard some government facilities that use the Mifare Classic chip in their smart door key cards.
Graduate student Karsten Nohl's success in breaking the Mifare encryption code with basic equipment has implications for between one and two billion smartcards, which are used both to open doors and in public transportation systems, including London's (with the Oyster fare card).
The hack is "a pretty huge deal", says Ken van Wyk, principal consultant with KRvW Associates. "There are a lot of these things floating around out there. Using it for building locks is the biggie, especially when it's used in sensitive government facilities. I know for a fact it's being used in sensitive government facilities."
It was Van Wyk who told Computerworld that one European country has brought in soldiers to guard some government facilities using the Mifare Classic chip in their smart door key cards.
"Deploying guards to facilities like that is not done lightly," he added. "They recognise that they have a huge exposure. They're not doing it because it's fun. They're safeguarding their systems." He declined to identify the European country.
Manuel Albers, a spokesman for NXP Semiconductors, said the company has confirmed some of Nohl's findings. However, he added there are no plans to take the popular chip off the market. He said its encryption was state-of-the-art when the chip was introduced in 1994 and was still fine for entry-level smartcards, like public transportation fare cards – which is mostly what it's used for.
Albers added that NXP had other, more secure, chips in its product portfolio these days, including the Mifare Plus.
Analyst van Wyke and codebreaker Nohl agree that the real problem lies in the cards that are used as door locks.
"I don't think people want to steal other people's bus tickets," said Nohl. "But think about chemical waste storage buildings or military facilities. The stakes are a lot higher. These cards are used around the world to secure high-level buildings. All these applications will suffer as soon as somebody with criminal intent finds the details that we have."
Nohl explained that since the Mifare Classic smart cards use a radio chip, he can easily scan them for information in a matter of minutes. If someone came out of a building, carrying a smart card door key, he could walk past them with a laptop and scanner in a backpack or bag and scan their card. He also could walk past the door and scan for data from the reader.
He would have enough information to find the cryptographic key and duplicate a smartcard to open the door.