New research showing that smart cards with encrypted RFID chips might not be as secure as previously thought is raising concerns in Boston, where the subway CharlieCards use just such technology. The research raises the specter of thieves with US$1,000 worth of equipment cracking smart-card encryption and making counterfeit cards to do everything from swipe fares to gain access to high-security areas.
Although University of Virginia student Karsen Nohl and colleagues revealed their findings in December at a conference, a couple of Boston-area media outlets (the Boston Herald and Boston Globe) picked up on the story this week, breathing new life into it. The MBTA, the outfit running the Boston subway system, declined to discuss its security technologies with the Boston newspapers.
The particular RFID chip in question -- the Mifare Classic, of which a billion-plus have been sold -- is made by Philips spinoff NXP Semiconductors, which has been quoted widely saying that only a portion of the cryptographic algorithm has been obtained by the researchers (the researchers have not disclosed their method fully, in an effort to keep those with bad intentions from copying them). Security experts have known all along that such chips, which generally cost less than a dollar, were crackable, but didn't realize it could be so economically feasible.
"People have and will, as we have, taken security expertise from the world of computers and applied it to RFIDs, whose designers had been operating under the assumption that their world was apart from such scrutiny," Nohl said in a statement.
Nohl and colleagues were able to listen to data broadcast by the chips using readily available RFID readers; they then dissected the layers of the chip via custom optical-recognition software to deduce the algorithm and encryption keys.
A video of the researchers' presentation, called "Mifare: Little Security, Despite Obscurity," is available on Nohl's Web page.
On his Web page at the University of Virginia, Nohl humorously reassures that he and his colleagues have not found a way to crack credit-card security: "Please note that we have not compromised the security of credit cards, as some of the articles suggest. From what we can see, RFID-enabled credit cards have no security (yet?), and hence there is nothing to compromise."
Various sorts of encryption have been under the scrutiny of researchers of late, with Princeton University and cohorts recently showing a way to crack disk encryption.