While developing an RFID extension for the Koha library catalogue system over the last few months, I’ve learned a lot about I-Code tags and security systems, but I’ve not yet looked into Mifare, which is the other big RFID product line from NXP. I have been seeing several reports of problems with Oyster (which is Mifare-based) and a crack to be published.
I thought Mifare was meant to be a much tougher product than I-Code. I’m surprised and disappointed that NXP’s reaction to a hack was to try to prevent publication. I haven’t heard from any suppliers about vulnerabilities, so I doubt that NXP are passing the message on to all Mifare-operators yet. They should tell Mifare operators so that they can protect themselves. It looks like the head-in-sand approach to security, which is very worrying.
At least one of our RFID systems is Mifare-capable (which is why I think we should have been told about this vulnerability), so I’ll look into that when I get some spare time (March 2012 perhaps?) unless someone points me at a link with juicy details.
Loading ...
4 comments so far
1 James Taylor // Aug 7, 2008 at 9:30 am
Lo Sleffy.
The Mifare crack is’nt as bad as the media is raving about. What has happend is that they have managed to crack the basic cryptography in the Mifare chip – which means you might be able to read the data on the Mifare cards.
Most implementations of systems using Mifare however use both a server component as well as the on-tag component – where Mifare is designed to have the value stored on the card, in the Oyster system, this is true, but they also store the value on the Server.
When you are using offline nodes, it decrements the value until you run through an “online” node, where the server gets linked. If you use a cloned card, then the system will detect whenever you go through an “online” node – and in Oyster, most of the nodes are online iirc.
The Mifare cracking dosn’t make mifare solutions insecure – hell, a lot of solutions using mifare tags actually have their data readable with publically known keys.
Whats made matters worse is that NXP has always been very secretive about how their Mifare cryptography works – I believe this is what stopped them getting their Mifare card accepted as NFC Type A(?) compatible, and also now, its caused this media backlash against them.
Best Regards
JT
2 James Taylor // Aug 7, 2008 at 11:39 am
I’ld like to append http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9069558 is a relativly good article on how/what the crack actually is.
3 MJ Ray // Aug 12, 2008 at 10:18 am
Thanks for that JT! It gives me a bit more info, but also confirms what I suspected about NXP being a bit secretive.
4 MJ Ray // Aug 18, 2008 at 7:27 pm
Someone sent me this PDF of a Defcon presentation about fare card cracking http://tinyurl.com/63sbxm