New research showing that smart cards with encrypted RFID chips might not be as secure as previously thought is raising concerns in Boston, where the subway CharlieCards use just such technology. The research raises the specter of thieves with US$1,000 worth of equipment cracking smart-card encryption and making counterfeit cards to do everything from swipe fares to gain access to high-security areas.
Although University of Virginia student Karsen Nohl and colleagues revealed their findings in December at a conference, a couple of Boston-area media outlets (the Boston Herald and Boston Globe) picked up on the story this week, breathing new life into it. The MBTA, the outfit running the Boston subway system, declined to discuss its security technologies with the Boston newspapers.
The particular RFID chip in question -- the Mifare Classic, of which a billion-plus have been sold -- is made by Philips spinoff NXP Semiconductors, which has been quoted widely saying that only a portion of the cryptographic algorithm has been obtained by the researchers (the researchers have not disclosed their method fully, in an effort to keep those with bad intentions from copying them). Security experts have known all along that such chips, which generally cost less than a dollar, were crackable, but didn't realize it could be so economically feasible.
"People have and will, as we have, taken security expertise from the world of computers and applied it to RFIDs, whose designers had been operating under the assumption that their world was apart from such scrutiny," Nohl said in a statement.
Nohl and colleagues were able to listen to data broadcast by the chips using readily available RFID readers; they then dissected the layers of the chip via custom optical-recognition software to deduce the algorithm and encryption keys.
A video of the researchers' presentation, called "Mifare: Little Security, Despite Obscurity," is available on Nohl's Web page.
On his Web page at the University of Virginia, Nohl humorously reassures that he and his colleagues have not found a way to crack credit-card security: "Please note that we have not compromised the security of credit cards, as some of the articles suggest. From what we can see, RFID-enabled credit cards have no security (yet?), and hence there is nothing to compromise."
Various sorts of encryption have been under the scrutiny of researchers of late, with Princeton University and cohorts recently showing a way to crack disk encryption.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
Fortinet November Threatscape Report Shows Calm Before Holiday Storm 2008-12-05 16:00:00+11
Epicor® Cited as an Order Management Solutions Leader by Independent Research Firm 2008-12-05 15:52:00+11
F-Secure: Growth In Internet Crime Calls For Growth In Punishment 2008-12-05 13:00:00+11
International researchers gather in Sydney to preview the clever web 2008-12-05 09:48:00+11
Borderless corporate networks to shift focus to secure content management in Australia in 2009 2008-12-04 16:06:00+11
Solve Exchange Mailbox Storage Issues Once and for All
Join industry expert Bob Spurzem and Chuck Arconi of Fox Hollow to discover how to reduce Exchange total storage and keep it at a manageable level. Learn how Exchange storage growth can be contained without sacrificing security and accessibility.
Buying Guides
Buying Guides
