While developing an RFID extension for the Koha library catalogue system over the last few months, I’ve learned a lot about I-Code tags and security systems, but I’ve not yet looked into Mifare, which is the other big RFID product line from NXP. I have been seeing several reports of problems with Oyster (which is Mifare-based) and a crack to be published.
I thought Mifare was meant to be a much tougher product than I-Code. I’m surprised and disappointed that NXP’s reaction to a hack was to try to prevent publication. I haven’t heard from any suppliers about vulnerabilities, so I doubt that NXP are passing the message on to all Mifare-operators yet. They should tell Mifare operators so that they can protect themselves. It looks like the head-in-sand approach to security, which is very worrying.
At least one of our RFID systems is Mifare-capable (which is why I think we should have been told about this vulnerability), so I’ll look into that when I get some spare time (March 2012 perhaps?) unless someone points me at a link with juicy details.