The physical security of your company and its data just got less secure if your company is one of millions that use a particular kind of smart card designed to give commuters, corporate wage slaves, and security specialists quick passage through security gates and down the invisible elevator that takes them to the secret headquarters underneath the streets of Cardiff.
A team of German scientists have demonstrated a hack that lets them make a perfect clone of the kind of magnetic security card used to give workers in corporate or government buildings -- including NASA -- and as a daily ticket replacement on busses and subways. The same team broke a previous version of contactless-ID cards from Mifare in 2008, prompting the company to upgrade its security, creating a card able to be programmed only once and which contained a unique identifying number that could be checked against the programmed content on the card for extra security.
Higher-functioning cards have some processing capablity, including the ability to create random identifying numbers to help prevent copies, 128-bit key encryption, support for AES encryption, and a series of other extra features.
NXP Semiconductors, which owns Mifare, put out an alert to customers warning that the security had been cracked on its MIFARE DESFire (MF3ICD40) smartcard but saying that model would be discontinued by the end of the year and encouraging customers to upgrade to the EV1 version of the card.
NXP is one of the largest providers of security smartcards; it has sold a total of 3.5 billion of the cards, but wouldn't estimate how many of the cracked cards are in circulation.
Researchers David Oswald and Christof Paar at Ruhr University in Germany, who worked on the crack of the KeeLoq remote keyless entry system in 2008, used side-channel analysis for both cracks. The technique relies on use of a probe and oscilloscope to record the card's broadcasts while it's being read by and RFID reader.
It takes about seven hours to crack the security on one card and get its 112-bit encryption key, the researchers said. It only works if you've already spent months profiling the card's architecture, behavior and responses. Cracking time could be cut to as little as three hours, Paar and Oswald said.
The weak point for the MF31CD40 -- and many of NXD's other cards -- is that it does little or nothing to resist being recorded, prodded, and poked by crackers.