NXP sues to prevent hackers from releasing MIFARE flaws
10 July, 2008
category: Contactless
NXP Semiconductors has sued Radboud University Nijmegen in the Netherlands to block details of a security flaw in NXP’s MIFARE Classic contactless smart cards, according to a ZDNet UK report.
“We feel the publication would not be responsible,” NXP said in an e-mail statement when asked to comment for the ZDNet UK article. “We cannot give further comments at this time, as it is in the hands of the court and the court has given a confidentiality order.” A hearing was scheduled for today but the outcome was not yet known.
Karsten Nohl, a University of Virginia graduate student who worked with others to break the cryptographic algorithm, has planned to release his work in August. The Dutch university’s research builds on Nohl’s work. Nohl said he plans to publish his research in August and that NXP has not sued him to halt publication of his work.
The MIFARE Classic line of products is possibly the world’s most widely deployed contactless product, used for many transit and physical security applications. The MIFARE Classic line includes the MIFARE 1K, MIFARE 4K and MIFARE Mini products. They are used worldwide in transit fare collection systems, access control solutions, and government ID systems. Large issuers include transit projects such as London’s Oyster program, The Netherlands’ OV-chipkaart, and Boston’s Charlie Card.
Nohl spoke with Regarding ID in the spring. He says his team spent two years working on the MIFARE project. The gist of the effort, as he describes it, involved, “taking off one layer at a time (from the tiny chip), then taking photos, (to) reconstruct the structure. There are such vast amounts of data that we can’t do it, but we could train our computers to do it. The structure encodes what the chip is doing like any microprocessor. Basically output the code that we can read and understand what the crypto is doing.”
MIFARE was first released in 1994. With 15-year-old security and advancements in computing it seems to many that vulnerabilities would exist in aging products.
Continuing coverage
of the MIFARE Hack
Episode 8: Interview with Mifare hacker Karsten Nohl
In this episode, the publicized Mifare Crypto-1 hack is examined. Interviews with the researcher that uncoverd the alleged vulnerability, Karsten Nohl, as well as NXP representative Manuel Albers and Smart Card Alliance’s Randy Vanderhoof delve into the topic from all sides.
Albers reports that between 1 and 2 billion of these chips have been issued to date and are in use in transit systems and security and access applications.
Nohl stated that he would wait until next year to make the complete nature of attack public, suggesting “if you are relying on Mifare security, you should start migrating.” When asked if the intent was to give the issuers time to migrate or if he was holding the industry ransom, he replied, “I would acknowledge that we are playing along in the obscurity game … we want every one of these systems to wake up and realize how insecure they are … to convince the last ones that are still claiming we have not found it, we will have to release it.”
NXP introduces new security, performance benchmark with MIFARE Plus
Greater security and backwards compatibility are two of the features of NXP’s new MIFARE Plus contactless smart card IC, designed for automated fare collection and the access control markets. One of the chip’s advantages is that after upgrading the system infrastructure, service operators will be able to easily switch MIFARE Plus-powered cards in the field to a higher security level without revoking or reissuing the existing cards.
“Over years you learn about attack scenarios and strive to improve the product family with new security measures,” says Manuel Albers, director of regional marketing for the Americas at NXP. He went on to explain that newer versions of the line are not vulnerable to this attack. But he is emphatic that the Classic products, even if these vulnerabilities hold true, have a viable place in the market.
Albers describes that any card issuer must evaluate the security levels and subsequent costs based on the value of the asset being protected. “It is typically the role of the system integrator to strike the right balance between the security measures and the features that are included in the card and the cost of those features … and the features that are included in the overall systems infrastructure,” he says.
In some cases a very expensive and secure card is the right decision, but in other cases it may be overkill.
Nohl suggests that it is both the age of the product and its initial design that cause the vulnerabilities. “While the security is outdated now, it wasn’t even strong to begin with,” he explains citing, “protocol-level mistakes and, in addition, a very weak cryptographic cipher that discloses the secret key.” He found several key vulnerabilities in the chip’s design including a 48-bit key, a 16-bit random number generator and a weak implementation of the random number generator’s timing.
NXP supports its issuers and adds to product line
“We take those claims very seriously, and we have spent significant time reviewing those attack scenarios,” explains Albers. “We have asked system integrators to evaluate the overall security of their implementations to determine if the security is sufficient for the assets they are protecting.”
In addition, the company is releasing a new product that includes higher security and is backward compatible with the Classic product.
“Our latest addition to the MIFARE portfolio is the MIFARE Plus, positioned between the MIFARE Classic and the DESFire line,” says Albers.
MIFARE Plus has security measures that address these current threat scenarios, but unlike NXP’s high security DESFire product, it works alongside MIFARE Classic products. Thus, MIFARE Classic users can use it in current installations, and it allows the issuer to turn on higher security measures such as AES encryption.
Parts of this story were taken from an article that appeared in the summer issue of Regarding ID.
Read the ZDNet story here.
