In light of reports earlier this month detailing vulnerabilities of the Mifare Classic RFID cards, the Dutch Government has now issued a warning that the hack can be accomplished relatively easily. A team at Radboud University Nijmegen have detailed the process in a video published on the University website. This serves to illustrate the relative ease of reproducing the hack.
Of particular interest is the final paragraph from the article on the RFID Update website, which states:
"The long term impact of this hack on the public's perception of RFID security is unclear. It will likely depend on the extent to which nefarious hackers widely exploit the vulnerability."
I believe the long term impact will be determined by how well the public understands both the vulnerability and the proposed solutions, and how well organizations, such as the RFID Security Alliance, communicate the information. Otherwise, it is simply going to remain an opportunity to generate interesting headlines.
As Karsten Nohl, who published the original vulnerability findings told me:
"So far no nefarious hackers have contacted me to get the details of the cipher and it appears that all academics that share our results will not go out and cause any real-world system to break. After all, this could still take an ok outcome for industry if current systems upgrade reasonably soon. The message that will stick is that RFID aren't some magically secure new technology but rather suffer from the same shortcomings that haunt pretty much any security system."
NXP Semiconductors, the makers of the Mifare chips used in these cards, announced an update to the technology used in the Mifare cards which NXP is referring to as the Mifare Plus. According to the report in RFID Journal, cards using the new technology are backwards compatible with the Mifare Classic system.
Saturday, March 15, 2008
Saturday, March 8, 2008
What drives adoption ?
I recently read the fascinating document produced by University Of Virginia student Karsten Nohl titled "Mifare Security". In this document, Karsten describes some of the issue with the Mifare RFID Security tag, and how Karsten was able to break the security. This has now raised much concern in the city of Boston, which is using such technology for their CharlieCards subway passes, as was pointed out in this article in CSO Online, as well as other articles scattered across the web.
The question I want to ask is what drives an organization, such as Boston's subway system, to adopt RFID technology for their system? Is it convenience? Does it look cool? Do they feel it will save them time and money? Does Mifare have a fantastic sales team? Do they want a more secure system? In other words, what was the ultimate OBJECTIVE of implementing an RFID solution? I am going to make the assumption that the objective was to save money (and saving time is exactly the same as saving money), and I want to know if whoever made the decision to implement the Mifare system created a Threat Model before deciding to build the infrastructure. A good model would address the question "What would it take to break the encryption of the Mifare chip?", which turns out to be about $1000. I would suspect somebody at Mifare knew this, in light of the findings of Nohl, which highlight the inherent weakness of the crypto used in the chips. If this is indeed the case, was Mifare (or whoever sold the Mifare system) forthcoming with this information? Did Mifare prepare their own Threat Model?
What is important to understand is that 100% security is simply not possible, and that is not what the objective should focus on. The objective should be focused on what level of security is required for the specific application. The Mifare technology used in the CharlieCard is perhaps more than adequate for access control in a closed environment (such as inside an office building), where it would be unlikely that someone would bother spending $1000 to crack tags so they can gain access to the executive dining room. Motivations, however, can be quite high when you can recharge subway passes and make several dollars each time you resell one of them to thousands upon thousands of users on the black market. What is even more interesting is the relatively low risk associated with the office building crack (if it happened). There is very little motivation for a cracker to attempt to "market" his crack of office access control passes to the "masses" yearning to enter a controlled area of corporate headquarters, where it is likely an intruder would be discovered anyway, due to the closed nature of the environment.
It all comes down to why you want to adopt the solution, and what risks adoption brings with it. Taking this approach is the first step.
The question I want to ask is what drives an organization, such as Boston's subway system, to adopt RFID technology for their system? Is it convenience? Does it look cool? Do they feel it will save them time and money? Does Mifare have a fantastic sales team? Do they want a more secure system? In other words, what was the ultimate OBJECTIVE of implementing an RFID solution? I am going to make the assumption that the objective was to save money (and saving time is exactly the same as saving money), and I want to know if whoever made the decision to implement the Mifare system created a Threat Model before deciding to build the infrastructure. A good model would address the question "What would it take to break the encryption of the Mifare chip?", which turns out to be about $1000. I would suspect somebody at Mifare knew this, in light of the findings of Nohl, which highlight the inherent weakness of the crypto used in the chips. If this is indeed the case, was Mifare (or whoever sold the Mifare system) forthcoming with this information? Did Mifare prepare their own Threat Model?
What is important to understand is that 100% security is simply not possible, and that is not what the objective should focus on. The objective should be focused on what level of security is required for the specific application. The Mifare technology used in the CharlieCard is perhaps more than adequate for access control in a closed environment (such as inside an office building), where it would be unlikely that someone would bother spending $1000 to crack tags so they can gain access to the executive dining room. Motivations, however, can be quite high when you can recharge subway passes and make several dollars each time you resell one of them to thousands upon thousands of users on the black market. What is even more interesting is the relatively low risk associated with the office building crack (if it happened). There is very little motivation for a cracker to attempt to "market" his crack of office access control passes to the "masses" yearning to enter a controlled area of corporate headquarters, where it is likely an intruder would be discovered anyway, due to the closed nature of the environment.
It all comes down to why you want to adopt the solution, and what risks adoption brings with it. Taking this approach is the first step.
Subscribe to:
Posts (Atom)