Archive for March, 2008

Boston Globe: T card has security flaw, says researcher

Thursday, March 6th, 2008

The Boston Globe has a story about Karsten Nohl’s work on cryptanalyzing the Mifare Classic: T card has security flaw, says researcher: Cracked code could lead to counterfeits, study team warns.

A computer science student at the University of Virginia asserts that he has found a security flaw in the technology behind the Massachusetts Bay Transportation Authority’s CharlieCard system.

German-born graduate student Karsten Nohl specializes in computer security. Nohl and two fellow security researchers in Germany say they’ve cracked the encryption scheme that protects the data on the card. The team warns that their breakthrough could be used to make counterfeit copies of the cards, which are used by commuters to pay for MBTA bus and subway rides.

… Nohl said that his team needed only about $1,000 worth of equipment to dismantle the chip and crack the code.

Nohl said that the RFID chip they compromised, the MiFare Classic by NXP Semiconductors of the Netherlands, is the one used in London’s subway system and in the MBTA CharlieCard. But MBTA spokesman Joe Pesaturo refused to confirm or deny this. “It’s MBTA policy not to discuss security measures around its smart card technology,” he said.

A 2004 policy analysis of the CharlieCard system produced by the Massachusetts Institute of Technology said that it would be based on MiFare technology.

NXP Semiconductors issued a statement saying that Nohl’s team breached only one of several security features built into the MiFare Classic chip. “This does not breach the security of the overall system,” the company said. “Even if one layer were to be compromised, other layers will stop the misuse.”

Evans said it might be hard to solve the issue. “There are chips that have a much higher security level available,” he said. “They cost more and it is not a trivial matter to upgrade the system.”

Ari Juels, chief scientist and director of computer security company RSA Laboratories in Bedford, said that Nohl’s research illustrates that there are serious security flaws in many smartcard applications. “The vulnerability is most certainly for real,” Juels said.

I’d be very curious to hear about those mysterious “other layers” the NXP spokesperson is talking about. Perhaps they are using the same amazing “extensive security mechanisms operating behind the scenes” that Facebook’s chief privacy officer was talking about here.

U.Va. student, hackers crack credit card security code

Sunday, March 2nd, 2008

The Daily Press (Hampton Roads, Virginia) has a story about Karsten Nohl’s cryptanalysis work: U.Va. student, hackers crack credit card security code, March 1, 2008. It is currently #7 on their list of most popular stories (but I doubt it will overtake this story: Here’s a guy who takes his beer seriously).

[Added 2 March] Also reported by WTOP (Washington DC), Examiner.com (Norfolk, Virginia), Richmond Times-Dispatch, WVEC-TV (ABC in Norfolk), The Washington Times, WAVY-TV, WSLS (Roanoke), Culpeper Star Exponent, and WVIR NBC-29 (Charlottesville).

Privacy, Security, and Social Networking APIs

Saturday, March 1st, 2008

Dr. Dobb’s has an article on Adrienne Felt’s work: Privacy, Security, and Social Networking APIs

Do social networking users need to worry about privacy and security? You bet, says CS student.

Facebook, the social networking platform that has redefined communications, has millions of users. And according to University of Virginia computer science major Adrienne Felt, all of these users should be concerned about security.

… Felt’s goal is to make users more aware of how their private information is being used — and to close this privacy loophole.

She has developed a privacy-by-proxy system — a way for Facebook to hide the user’s private information, while still maintaining the applications’ functionalities. Under Felt’s system, at the point at which the Facebook server is communicating with the application developer’s server, the Facebook server would provide the outside server with a random sequence of letters instead of the user’s name (and other personal information).