Those high-security swipe cards that secure your front door may be no good
German researchers have cracked the latest generation of smart swipe-card authenticators
The physical security of your company and its data just got less secure if your company is one of millions that use a particular kind of smart card designed to give commuters, corporate wage slaves and security specialists quick passage through, security gates and sown the invisible elevator that takes them to the secret headquarters underneath the streets of Cardiff.
A team of German scientists have demonstrated a hack that lets them make a perfect clone of the kind of magnetic security card used to give workers in corporate or government buildings – including NASA – and as a daily ticket replacement on busses and subways. The same team broke a previous version of contactless-ID cards from Mifare in 2008, prompting the company to upgrade its security, creating a card able to be programmed only once and which contained a unique identifying number that could be checked against the programmed content on the card for extra security.
Higher-functioning cards have come processing capablity, including the ability to create random identifying numbers to help prevent copies, 128-bit key encryption, support for AES encryption and a series of other extra features.
NXP Semiconductors, which owns Mifare, put out an alert to customers warning that the security had been cracked on its MIFARE DESFire (MF3ICD40) smartcard but saying that model would be discontinued by the end of the year and encouraging customers to upgrade to the EV1 version of the card.
NXP is one of the largest providers of security smartcards; it has sold a total of 3.5 billion of the cards, but wouldn't estimate how many of the cracked cards are in circulation.
Researchers David Oswald and Christof Paar at Ruhr University in Germany, who worked on the crack of the KeeLoq remote keyless entry system in 2008, used side-channel analysis for both cracks. The technique relies on use of a probe and oscilloscope to record the card's broadcasts while it's being read by and RFID reader.
It takes about seven hours to crack the security on one card and get its 112-bit encryption key, the researchers said. It only works if you've already spent months profiling the card's architecture, behavior and responses. Cracking time could be cut to as little as three hours, Paar and Oswald said.
The weak point for the MF31CD40 – and many of NXD's other cards – is that it does little or nothing to resist being recorded, prodded and poked by crackers.
The EV1 upgrade to that card has an on-chip backup management systems, an authentication mechanism that uses three separate authentication methods, encryption based on the 3DES hardware encryption that meets security requirements for most U.S. government agencies, but is compatible with existing systems designed to read the card using Near Field Communications (NFC) radio systems.
That probably means it does not yet contain any countermeasures able to stave off determined crackers poking it to see how it reacts.
The EV1 is designed for transit systems, event-ticketing systems and other applications that would put millions of them in the hands of end users, meaning it won't be hard for anyone wanting to crack it to get ahold of one.
If you use NXP security cards in any of your buildings, or any kind of NFC-based smartcard security, you might want to look into backup systems or to see if anyone's cracked them yet. Odds are getting better that they have.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.