A trio of hackers led by a University doctoral student in computer engineering has cracked the security code of a popular smart card that uses radio-frequency identification, or RFID.
Karsten Nohl, whose research focuses on cryptographic algorithms for computer security, says they were able to decode one particular RFID chip, the MiFare Classic, using readily available equipment costing less than $1,000. The chips are in millions of subway passes, such as the Boston T’s CharlieCard and London’s Oyster Card, and are used in building access cards. After the trio announced their findings in December, at the Chaos Communications Congress in Berlin, they received worldwide media attention and the Dutch authorities temporarily halted a planned rollout of a nationwide transportation card based on the chip.
Although its reliability and low cost make it one of the world’s most popular security card chips, the MiFare Classic’s weak encryption leaves it vulnerable. Once decrypted, the cards can be easily counterfeited. Nohl says that he would only need a laptop, an RFID scanner and a few minutes to get the cryptographic key to an RFID door lock.
“These cards might have been OK years ago, when computers were much slower,” says Nohl. “But for about a dollar more per card, the companies and agencies that buy these cards can get more secure ones.”