New research that shows smart cards with encrypted RFID chips might not be as secure as previously thought is raising concerns in Boston, where the subway CharlieCards use just such technology. The research raises the specter of thieves with $1,000 worth of equipment cracking smart card encryption and making counterfeit cards to do everything from swipe fares to gain access to high-security areas.
Although University of Virginia student Karsen Nohl and colleagues revealed their findings in December at a conference, a couple of Boston-area media outlets (Boston Herald, Boston Globe ) picked up on the story this week, breathing new life into it. The MBTA, the outfit running the Boston subway system, declined to discuss its security technologies with the Boston newspapers.
The particular RFID chip in question – the Mifare Classic, of which a billion-plus have been sold – is made by Philips spinoff NXP Semiconductors, which has been widely quoted saying that only a portion of the cryptographic algorithm has been obtained by the researchers. (The researchers have not fully disclosed their method in an effort to keep those with bad intentions from copying them.) Security experts have known all along that such chips, which generally cost less than a dollar, were crackable, but didn’t realize it could be so economically feasible.
"People have and will, as we have, taken security expertise from the world of computers and applied it to RFIDs, whose designers had been operating under the assumption that their world was apart from such scrutiny," Nohl said in a statement .
Nohl and colleagues were able to listen to data broadcast by the chips using readily available RFID readers and then dissected the layers of the chip via custom optical recognition software to deduce the algorithm and encryption keys.
A video of the researchers presentation http://www.cs.virginia.edu/~kn5f/index.html, called “Milfare: Little Security, Despite Obscurity,” is available on Nohl’s Web page.
Nohl humorously reassures on his Web page at the University of Virginia that he and his colleagues have not found a way to crack credit card security:
“Please note that we have not compromised the security of credit cards as some of the articles suggest. From what we can see, RFID-enabled credit cards have no security (yet?), and hence there is nothing to compromise.”
Various sorts of encryption have been under scrutiny of researchers of late, with Princeton University and cohorts recently showing a way to crack disk encryption .