Serious RFID vulnerability discovered

second point: there is a way to relatively easily retrieve the key without carrying out a lengthy brute force attack. This can be done by first carrying out many failed authentication attempts, which do provide some information. Storing the results of this in a big table, one can look for a match and retrieve the key. The table only has to be constructed once, and can be prepared in advance by repeatedly running the CRYPTO1 algorithm on a fixed input. The group’s proof-of-concept demonstration of this attack still required many authentication attempts once this table had been constructed. Recording these attempts took several hours, but could be carried out by a hidden antenna to eavesdrop on a card reader. It seems that the complexity can be further reduced, possibly dramatically so, making the attack much simpler.

Once the secret cryptographic key is retrieved, there will be possibilities for abuse. How severe these possibilities are will depend on the situation. If all cards share the same key, then the system will be extremely vulnerable. This may be the case if cards are used for access control to buildings and facilities, both in the private and public sector. There is however no information on how common this is. For such a setting we demonstrated an actual attack, where a card of, say, an employee can be cloned by bumping into that person with a portable card reader. The person whose identity is being stolen may then be completely unaware that anything has happened. In a situation in which diversified keys are used, abuse will be more difficult, but not impossible. No actual attacks have been demonstrated for such a scenario.

At the technical level there are currently no known countermeasures. Shielding cards when they are not in use, for example, in a metal container, reduces the risk of an attacker secretly reading out a card. When the card is being used, however, it is still possibly to eavesdrop on the communication, with a hidden antenna near the access point. Strengthening of traditional access control measures is therefore advisable. Access to sensitive facilities will (or should) be protected by several protection mechanisms anyway, of which the RFID tag is only one.

The Dutch group’s hacking of teh RFID card is not the first such attempt. In December 2007 Karten Nohl and Henryk Plötz announced that they had reconstructed CRYPTO1 at a hackers’ conference in Berlin. The Dutch group has been in touch with them, and the group’s work builds on their results. Nohl and Plötz kept some information about CRYPTO1 to themselves. To reverse engineer CRYPTO1, they carried out a physical attack in which they studied the layout of the hardware implementing the algorithm on an actual Mifare Classic chip. Their approach is completely different from the Dutch group’s approach, as the latter only exploited weaknesses of the protocol and did not look looking at the hardware implementation.

The Dutch researchers say they face a dilemma: When discovering a security flaw there is a question on how to handle this information. Immediate publication of the details can encourage attacks and do serious damage. Keeping the flaw secret for a long period may mean that necessary steps to counter the vulnerability are not taken. It is common practice in the security community to try to strike a balance between these concerns, and reveal flaws after some delay. This is the approach the group has taken. On Friday 7 March the government was informed, because national security issues might be at stake. On 8 March, experts of the Dutch Signals Security Bureau (NBV) of the General Intelligence and Security Service (AIVD) visited Nijmegen to assess the situation, in which they concluded that the approach the digital security group demonstrated was an effective attack. On 9 March, NXP was informed and on Monday, 10 March, Trans Link Systems (the company developing the Dutch public transport card). The group spoke to representatives of both companies about the technical details, and is collaborating with them to analyze the impact and think of possible countermeasures. On 12 March 12, minister Ter Horst has informed the Dutch Parliament of the problem.