One billion RFID cards vulnerable to hacks
Even as RFID tech grows more and more ubiquitous, fears about its safety and security haven't dwindled -- which is why we're just disappointed, not surprised, to learn that over 1 billion RFID cards based on the Mifare Classic RFID chip are now at risk. Two different teams of security researchers managed to crack the encryption on the cards, which form the basis of a national payment system in the Netherlands and are used widely in other applications around the world. With the encryption broken, hackers can now make perfect clones of the cards, spoiling all that radio-frequency fun. There's no word on how easy that actually is yet, however -- one of the two hacks will be demonstrated later this week, and the other is being kept secret -- but still, it might be time to go back to cash and bump-proof locks, eh?
Filed under: Misc. Gadgets
Reader Comments (Page 1 of 1)
Graham @ Mar 13th 2008 8:25AM
How about *all* rfid vulnerable to hacks. No matter who its made by or what design, its still just another electronic device. No matter how much security they think they put into it there will always be someone who can break through it.
wazzup @ Mar 13th 2008 8:35AM
As with all things digital (and some not): it's hackable.
Even the best encryption has some vulnerability to a hack of some sort, whether it's a digital attack or a physical misuse of the process using the tech.
Marcus @ Mar 13th 2008 12:28PM
Now if only someone can hack my Oyster Card to give me unlimited travel on the London Underground...
Sasha S. @ Mar 13th 2008 8:30AM
Correction: Those cards DO NOT form the national payment system in The Netherlands. They were intended to be used as contactless ticket in our future national public transport system (in Dutch: OV Chipkaart). This system is in the advanced stage of being deployed.
Also many dutch companies use this type cards for access to their buildings.
The supplier of this type cards - company NXP (former Philips Semiconductors) has been notified. So far - no official reaction. In the meantime manu dutch companies and all goverment building has placed extra humans to check on all people entering and exiting.
Mickel @ Mar 13th 2008 9:03AM
Good ole' Philips eh!? Some really smart guys used to work there. I guess they dropped the ball on this one.
Now i'm just waiting until retailers start tagging their products with RFID and using them for checkout. Ah, the joy of getting something cheap! Must be the Dutch guy in me.
Ari Moshe @ Mar 13th 2008 8:36AM
the real question is how close does one need to be to the card to perform this?
dan2600 @ Mar 13th 2008 9:16AM
since RFID is passive it is really only limited to the power of the "reader" similar to the bluetooth canon many have made RFID "guns" that can read them from several hundred feet away.
googled example:
http://www.iautomate.com/r500sp.html
in my opinion RFID is a stupid technology that should be phased out for anything that requires encryption.
Cyco @ Mar 13th 2008 8:39AM
Bad news for RFID is good news for Humanity.
Jeebus @ Mar 14th 2008 1:37PM
How did you get "Highly Ranked" with such a nonsensical comment?
Cyco @ Mar 17th 2008 5:08AM
Because Jesus loves me...
DorianGray @ Mar 13th 2008 8:39AM
I worked for an Intelligence Community Agency for a few years. Government has known about the serious potential for security problems with this technology pretty much since its inception. That said, there was no comparable technology that was equally or more secure *at the time*. Bear in mind, by the time the general public sees these types of technology -- by the time they begin to become ubiquitous -- they've been under development for upwards of five years to a decade. Given what was known then and the development timeline & milestones, the tech seemed like a winner -- espec. compared with alternatives. The design specs called for security *combined with* proximity ID ability *and* exceedingly low cost. It met two of the three requirements early, with clear and seemingly achievable milestones for security equivalent to smartcard (PKI) technology.
I just wanted to pre-empt the sh|tstorm that was about to be leveled against the gov't. The people who make decisions are not as inept as we're sometimes led to believe. Occasionally, they make decisions based on incomplete information and the promises of "the experts". And occasionally they get burned.
Five years ago, RFID was the shiznit; its developers swore up and down that the security kinks could be pounded out within the next few years -- definitely by primetime.
Mm-hmm.
wazzup @ Mar 13th 2008 8:48AM
I think you just invited a sh|tstorm. good luck :D
But then, to your credit, I did actually read your REALLY long comment to the end. Even though I got bored halfway ... *yawn* need a snooze now. *snore*
DorianGray @ Mar 13th 2008 9:18AM
@wazzup
Dude, I work for gov't. This was the Executive Summary. You shoulda seen the long version...
m.edgar @ Mar 13th 2008 10:41AM
They were inept; they should have realised that 'contactless' was a stupid, unsecurable idea which meant easy identity theft.
Many of the problems of RFID in security documents can be solved by using chips which require contact between chip and reader.
RFID is still pretty neat for some purposes, like supplychain monitoring.
emailtabs @ Mar 13th 2008 8:54AM
Someone can copy my oyster card eh!. they're welcome to my £1.50
(and no you can't have it and i'm not gonna send it to someone more deserving than me, i was commenting on the amount of money on each card and how many they would have to copy to get a decent return on their investment. I presume the kit will cost a fair bit in both time and money)
Thank god i stopped myself short of getting one of the oyster/credit-card hybrid from barclays. would have been riley screwed then!
Exile @ Mar 13th 2008 10:14AM
London underground staff have special cards that give them unlimited travel. Sniff out one of those, then you'll be able to clone the card and get free unlimited travel!!
Would save me a few thousand pounds a year I can tell you!
emailtabs @ Mar 13th 2008 10:26AM
Mmmmmm cunning plan sire. you sort out the kit and i'll swipe me some cards.
bob sakamano @ Mar 13th 2008 9:27AM
my imagination of Nilay in real life...
"Nilay Patel do you take this woman to be your lawfully wedded wife?"
"I do, Eh?"
Sedje @ Mar 13th 2008 5:07PM
Video of the Radbout university @ http://www.youtube.com/watch?v=NW3RGbQTLhE