Boston Globe: T card has security flaw, says researcher
6 March 2008The Boston Globe has a story about Karsten Nohl’s work on cryptanalyzing the Mifare Classic: T card has security flaw, says researcher: Cracked code could lead to counterfeits, study team warns.
A computer science student at the University of Virginia asserts that he has found a security flaw in the technology behind the Massachusetts Bay Transportation Authority’s CharlieCard system.
German-born graduate student Karsten Nohl specializes in computer security. Nohl and two fellow security researchers in Germany say they’ve cracked the encryption scheme that protects the data on the card. The team warns that their breakthrough could be used to make counterfeit copies of the cards, which are used by commuters to pay for MBTA bus and subway rides.
… Nohl said that his team needed only about $1,000 worth of equipment to dismantle the chip and crack the code.
Nohl said that the RFID chip they compromised, the MiFare Classic by NXP Semiconductors of the Netherlands, is the one used in London’s subway system and in the MBTA CharlieCard. But MBTA spokesman Joe Pesaturo refused to confirm or deny this. “It’s MBTA policy not to discuss security measures around its smart card technology,” he said.
A 2004 policy analysis of the CharlieCard system produced by the Massachusetts Institute of Technology said that it would be based on MiFare technology.
NXP Semiconductors issued a statement saying that Nohl’s team breached only one of several security features built into the MiFare Classic chip. “This does not breach the security of the overall system,” the company said. “Even if one layer were to be compromised, other layers will stop the misuse.”
Evans said it might be hard to solve the issue. “There are chips that have a much higher security level available,” he said. “They cost more and it is not a trivial matter to upgrade the system.”
Ari Juels, chief scientist and director of computer security company RSA Laboratories in Bedford, said that Nohl’s research illustrates that there are serious security flaws in many smartcard applications. “The vulnerability is most certainly for real,” Juels said.
I’d be very curious to hear about those mysterious “other layers” the NXP spokesperson is talking about. Perhaps they are using the same amazing “extensive security mechanisms operating behind the scenes” that Facebook’s chief privacy officer was talking about here.