Intelligent Machines

Picking Pockets, Wirelessly

The world’s most popular wireless smart card can be copied.

The world’s most popular wireless smart card has had a rough couple of years. The Mifare Classic, which is used in public-transit systems all over the world and to control access to many offices and buildings, has been the subject of intense scrutiny from security researchers. Last February, researchers from the University of Virginia cracked the encryption used to protect data on the card. Then, in August, a team from MIT showed how to get free rides on the MBTA transit system by exploiting weaknesses in the card. However, in both cases, physical access to the targeted card was required.

Next week, at the IEEE Symposium on Security and Privacy, in Oakland, CA, researchers from Radboud University, in the Netherlands, will demonstrate a new, even easier way to steal data from the smart card. Their attack, which requires only a cheap, off-the-shelf card reader and an ordinary computer, can pull sensitive data out of a card in less than a second–even if the attacker has no physical access to the card.

The attack builds on previous research and takes advantage of newly discovered flaws in the card’s design, explains Peter van Rossum, an assistant professor of computer science at Radboud. Key to the exploit is the way that the smart card communicates with a wireless reader. The radio signal received by the card provides it with enough power to respond. But both the card and the reader have to first prove their identity by sending a secret key.

The researchers use an off-the-shelf reader to make a series of strategic requests of a card. As the card tries to determine whether it should trust the reader, it inadvertently reveals enough information for the attacker to guess the correct secret key. Because so much information about the Mifare Classic is already publicly available, van Rossum believes that an attacker could pull together the necessary knowledge and equipment within a matter of weeks.

Van Rossum says that an attacker would most probably perform the attack on a card that she already owns–for example, to increase the balance on her subway card. But he says that being able to perform the attack wirelessly raises the possibility that the attacker could copy someone else’s card to gain unauthorized access to a building, for example.

“Previously, the nail was in the coffin. Now, this puts the coffin in the ground and buries it,” says Tadayoshi Kohno, an assistant professor of computer science at the University of Washington, in Seattle. He says that previously, some have claimed that it would be difficult to pull off an attack against the card in practice. Kohno hopes that this new work will put remaining objections to rest by showing how easy and inexpensive an attack can be.

“Apparently, nothing short of real-world hacks will convince operators to upgrade to better technology,” says Karsten Nohl, a security researcher now based in Berlin who reverse-engineered the algorithm inside the Mifare Classic while at the University of Virginia. “Now that the paper detailing a very practical attack is released, it won’t take long until we see many Mifare-based security systems being exploited.”

Last year, NXP, the company that makes the Mifare Classic, sued Radboud University in an attempt to stop the researchers from publishing their discoveries about the smart card. That effort failed, and the company, which coincidentally has offices near the university, is now working with the researchers to improve the security of the Mifare Plus, a successor to the Mifare Classic. Fixing all of the Mifare Classic’s security holes would require replacing infrastructure, according to van Rossum, but improvements can be made to the design of the Mifare Plus so that it will work with existing infrastructure in a more secure way.

Van Rossum is most concerned about hackers gaining access to important buildings. He says that since there is no fix for existing Mifare Classic infrastructure, companies and organizations that use the cards should improve other security practices that supplement the cards.

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Listen in as our editors talk to innovators from around the world.

  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.