Mifare crisis expands
Now that the security breach is made public, consequences are being evaluated by issuers and users of the product. Mifare Classic is widely used, especially for transport systems and for physical access control. NXP says they have sold between 1 and 2 billion chips. Mifare Classic is used as the base for the Oyster Card in London, the CharlieCard for transports in Boston, the OV-Chipkaart in the Netherlands, in Minneapolis / St. Paul, South Korea (Upass, T-money, Mybi), Hong Kong, Beijing, Milan, Madrid (Sube-T), Australia (Smartrider), Sao Paulo (Bilhete Unico), Rio de Janeiro (RioCard), Bangkok, New Delhi, Malaysia tolls system (Touch'n Go) …
For instance, TranSys, the operator of London Oyster card, said: "The security of the Oyster system has never been breached. We run daily tests for clone cards or rogue devices and none have been discovered.” Security experts insist on the fact security of the system is to be handled as a whole, not just from the card standpoint. System level security is at least as important as card level security.
In the Netherlands, the government has plans to roll out the OV-Chipkaart, a global payment system for all public transport, buses, subways, trains, in the country (cf. SI # 07-26). According to what is planned so far, Mifare Classic is to be used as the base for the OV-Chipkaart. Now, the publicity made about the breach of Mifare Classic security has opened a public debate in the Netherlands. "politicians are calling for proprietary technology to be replaced by open designs (and open source software) and industry starts working closer with universities and "hackers" to make current and future systems more secure,” said Karsten Nohl.
Karsten Nohl gave some details in an interview to The Tech Herald. NXP claims security is to be considered at a system level, and the card algorithm is only one part of the whole security chain. “I am not exactly following NXP's rhetoric in this point. They have different products, many of which are very secure. The security of the particular card we analyzed, however, relies entirely on its cryptography which we found to be weak,” Nohl said when asked about NXP’s claim to multi layers of security and the claim that only part of the algorithm was recovered.
“The Mifare stream cipher is simple and its key is short. This alone should tell anybody that secret keys can be found cheaply. To finally end the discussion about how cheaply exactly, we made public a new attack on the cipher today that exploits its weak structure. Bottom-line: any computer can be used to find secret keys in at most an hour,” Nohl told The Tech Herald in his interview. However, once and for all, was the Mifare cracked, and a complete algorithm obtained? “We have the complete cryptographic algorithm,” Nohl said.
The potential link between a close system like the one run by a transport operator, and an open system, like a banking card may create some security issues. In London, the OnePulse card works as a contact banking card, a contactless banking card, and an Oyster Card. But as OnePulse is based on a microprocessor chip, and is just emulating Mifare, it remains safe from these attacks. In Boston, the operator is considering using the CharlieCard to grant access to bank accounts in order to allow commuters to pay Mass Pike tolls and park in government owned areas.
Many Mifare Classic cards are also used for physical security applications: they are used around the world to secure high level buildings. In a Computer World article, Ken van Wyk, principal consultant at KRvW Associates, said "Using it for building locks is the biggy, especially when it's used in sensitive government facilities — and I know for a fact it's being used in sensitive government facilities." Also Karsten Nohl insists the issue may be more important for physical security than for mass transit payment: "Think about chemical waste storage buildings or military facilities. The stakes are a lot higher. If you break in, you don't get a $2 bus ticket, but you get whatever is in that warehouse. These cards are used around the world to secure high-level buildings. All these applications will suffer as soon as somebody with criminal intent finds the details that we have."
Nohl said he can easily scan Mifare Classic based cards for information. If someone came out of a building, carrying a smart card door key, he could walk past them with a laptop and scanner in a backpack or bag and scan their card. He also could walk past the door and scan for data from the reader. Once he's captured information from a smart card and the card reader on the door, he would have enough information to find the cryptographic key and duplicate a smart card with the necessary encryption information to open the door.
Some press articles made a quick link between the compromission of Mifare Classic algorithm and the security of contactless banking cards. Nohl is very clear on this point: "We haven't compromised anything about credit cards as there is nothing to compromise”
Now, NXP announces Mifare Plus, a new product in the Mifare line, with added security level. NXP says: “The backwards compatibility of Mifare Plus allows for a seamless introduction of cards in existing Mifare Classic implementations. After upgrading the system infrastructure, service operators can easily switch Mifare Plus-powered cards in the field to a higher security level without the need to revoke or re-issue the cards.” This will end up being a quite high cost for transit operators, as they will need to upgrade their system (which could mean a hardware replacement of the readers), and to reissue cards to their users. Operators may well choose to allocate the upgrade cost to a total change of system either for more secure NXP-based cards, or to Sony's FeliCa. NXP says Mifare Classic will be available in Q4/2008.
Now, on its dedicated website mifare.net, NXP just published two statements, "Information for end users", and "Information for system integrators" in which the company tries to reassure its customers. Extracts from these statements: "NXP has come to the conclusion that two research groups have by now retrieved the algorithm and developed attacks which can be done with faster means of breaking keys than brute force. Although we are trying to prevent this, there is a risk of the full algorithm becoming publicly known". "Although we trust that many systems have implemented effective mechanisms to detect fraudulent cards (which we understand is possible in a number of ways), we are investigating scenarios how Mifare Classic systems can be protected". "It is our assessment that for transport ticketing installations, end-to-end security systems can be designed with the Mifare Classic chip in such a way that the residual risk of fraud not being detected in time can be drastically reduced". "End to end measures should also be applied for access management infrastructures, which are often complemented by additional measures e.g. camera surveillance, security personnel, etc. when valuable assets need to be protected."