It was only a matter of time...
Back in late December two German hackers err sorry researchers demonstrated the reverse engineering of the MiFare RFID tags. There work allowed them to understand the encryption system used to secure the cards and that there where physical limits to the strength of that encryption due to the limited power source available. Anyway they kept the details of the system a secret but now more has come out and a lot of people are in damage control mode re this.
There is a good summation and videos of the hack here.
Other than lots of building security MiFare is also used on bus and train ticketing around the world and is also a basis of the new ticketing system costing by press reports $1 billion dollars here in Victoria. That systems now appears to be hacked before it is released with card readers now in place.
http://www.doi.vic.gov.au/doi/doielect.nsf/2a6bd98dee287482ca256915001cff0c/ac07216c69b6de8bca25703c0009de27/$FILE/Kamco%20Consortium%20Profile.pdf
Look Here -> |
It was only a matter of time...
It was worth the time spent watching. It just goes to show what you are told and what is actually the real facts are never quite the same when it comes to marketing propaganda. I loved the bit on the random generators.
You have to take your hat off to the team that achieved the result and on such a small budget compared to what it must of cost to originally develop.
Their comment on it would be time to migrate before they release all of the details next year was priceless.
Excellent post SystemRat
Now if we can just get them to do an Austar chip
Makes me wonder why the company responsible for the sale and manufacturing of these security MiFare RFID tags didn't approach the hackers...MMM researches and recruit them to their organization paying top dollar of course to be security consultants instead of letting them destroy there business before it was to late.
When you do things right, people won't be sure that you have done anything at all
The card maker is Philips electronics (radio, TV and semiconductors.) To make matters worse a Dutch university has repeated the hack independently of the two German guys.
The real problem is there is a limited amount of power available to run the crypto circuitry on the card so the algorithm used is nowhere near as strong as 3DES or AES. The strength of the system is the obscurity of the algorithm used which it appears can be obtained by carefully stripping the chip layer by layer. Most modern smartcards are protected against that attack to an extent by interconnected layers and special protective coatings to prevent electron microscope reverse engineering.
I was lucky enough to see an IC running under and election microscope at Telstra’s research labs. First they stripped the outer case with hydrofluoric acid and then carefully stripped the glass layer off the top of the chip.
It was then operated at a low clock rate under the electron microscope. You could see the path of each signal through the chip as the active section lights up. That was pretty cool. Pity I can’t try running a couple of smartcards through that process but I doubt it would work on these or else our Chinese and Russian friends would be flooding the market with Gamma like cards.
Now that would be the coolest thing to see
Has any one made a video of it, that you have seen on the net ????
When you do things right, people won't be sure that you have done anything at all
It was very cool indeed. It was said that they stripped down stuff they bought a lot of to QC it before releasing to the field.
I managed to find this site with a couple of short videos on it. The second "slow the chip down" one is close to what I was lucky enough to see.
I am not sure if the research labs are still there or not now but they had the very best toys money could buy. Problem was to work there you needed to have a better than average PHD or above to even sweep the floors.
Edit
Not that I like Telstra much but sadly it seems its gone.
Thank god there are still places like CSIRO and DSTO in Oz
Damn, makes you wonder why we aren't all carrying around an "Australia Card"
That little bugger could've changed the world back in the 1990's, visions of rampant medicare / CES / Centrelink fraud come to mind.
Hehehe, if you are >30 years old you'll understand what the Australia Card is / was.
A little green paint on a "gold" card and you can become the prime minister.
Thanks SystemRat
The slow clip was fantastic, how many times magnification do you
think they had the electron scope set for to see that so clearly
When you do things right, people won't be sure that you have done anything at all
Well I've been following this Mifare story for a while and now I think it's time to chuck in my conspiracy theory. I believe the resources required by the researchers to hack the card was deliberately leaked by NXP (Phillips) themselves. This theory is based on the following notions:
1. I find the possibility of decoding a chips security algorithms by slicing the silicon wafer and examining the layers to be somewhat far-fetched.
2. Mifare classic technology has been around for a while now and has fairly good market penatration in the contactless industry. However, Mifare DESfire is now on the scene and if NXP could "scare" everyone into migrating their contactless applications to the DESfire platform, NXP's sales of DESfire cards would go through the roof.
Did you see this presentation on how the two German guys did it.
Bookmarks