RFID Asia :: Radio Frequency Identification (RFID) Community in Asia


        

NXP's MIFARE Security Risk Due to Defective Chip

 

Monday, July 28, 2008
Adi Tedjasaputra.
by Adi Tedjasaputra

RFID security experts have revealed that MIFARE Classic from NXP Semiconductors, poses security risk. The ICs, which are used in over than 1 billion contactless smart cards worldwide, according to NXP on its website, primarily rely on more than a decade old 48-bit MIFARE Crypto-1 algorithm to protect contactless smart card applications from cloning attempts and unauthorized access. After failing to stop publication of its cracked algorithm, NXP urges customers using any systems embedded with the ICs to upgrade or switch to a completely different chip with a higher security level.

When the researchers of the Digital Security group at Radboud University Nijmegen in the Netherlands exposed the security flaw in MIFARE Classic, NXP reacted by taking the researchers to court in an effort to stop the publication of a research paper detailing the security flaw to be presented in ESORICS 2008, Malaga, Spain this October.

A couple of weeks ago, a district court in Arnhem decided to overturn NXP's injunction to stop the publication. The court viewed that the paper publication detailing MIFARE Classic's security flaw does not result in damage to NXP. The production and marketing of the defective chip is NXP's own responsibility, according to the court ruling. The original court decision (in Dutch) is available for download.

The court decision has forced NXP to advise customers using MIFARE Classic chips to either upgrade their systems or switch to a completely different chip with a higher security level. All the systems using the chips, such as Oyster cards of London's s transport network and SmartRider of Perth's transport network in Western Australia, are affected by the security risk.

Binary Data.The revelation, however, does not seem to deter the confidence of London transport network authority with its 17 million Oyster Cards. Quoted by BBC News, a spokesman for Transport for London said: "Transport for London remains confident in the security of the Oyster card system. We take fraud and the security of personal data extremely seriously and constantly review our security procedures."

He added: "Any fraudulent card would be identified within 24 hours of being used and blocked. Using a fraudulent card for free travel is subject to prosecution and we would seek to enforce this wherever possible."

The statement came one week after thousands of London commuters were unable to use their Oyster cards due to a computer system crash. Unfortunately, the system crashed again a few days ago.

Beside transport networks, many organisations have also deployed systems based on the chip to secure entry into buildings, including military installations. Recognizing the security risk posed by the chips, one European country has brought in soldiers to guard some government facilities using the MIFARE Classic chip in their smart door key cards last March.

The writer is the Founder of RFID Asia - The Prominent RFID Community in Asia.


Send your comments.

Labels: , , , , , , , ,

 


RFID Asia on Facebook

 

RFID Asia Journals




QR Code

   QR Code of RFID Asia.