Security of MIFARE Classic
Introduction
NXP Semiconductors is aware of the fact that several research groups have retrieved the algorithm and developed attacks to break keys of MIFARE Classic-enabled cards. Amongst others there are the group around Karsten Nohl and Henryk Ploetz, who initially presented the reverse engineering of MIFARE Classic chips in December 2007 at the 24th Chaos Computer Congress in Berlin, the IT security specialists from the Radboud University of Nijmegen as well as Nicolas T. Courtois from the University College London.
The Radboud University Nijmegen presented a publication during a conference on October 6th 2008, with information on how the protocol and algorithm were reverse engineered and the description of some practical attacks which can be carried out with limited means. Henryk Ploetz and others have also posted documents on the internet containing detailed information which significantly facilitate attacks on cards and infrastructures using MIFARE Classic. NXP is trying to prevent these publications but due to the nature of internet it is to be expected that such an effort does not meet much success.
System integrators therefore have to reconsider whether they have implemented appropriate security measures for the use of the MIFARE Classic card for applications that need security. In any scheme, it is the overall end-to-end system security that should be taken into account. The security of a system must not be restricted to the individual components. It is also essential to ensure that the individual components are used in the right way to prevent some attacks on the system.
For every application the actual security requirements need to be specified, along with the needed security level for those targets. When the security requirements for the system are known, the actual threats and required countermeasures can be determined.
MIFARE Classic vulnerabilities
One of the protection elements of the MIFARE Classic card has been the confidentiality of its cryptographic algorithm.
If the algorithm were to be known, it can be exploited in an attack with the respective expertise. Researchers of the Radboud University have used knowledge of the algorithm to develop attacks to retrieve the keys and the data that is stored on the MIFARE Classic card. As attack software is now publicly accessible on the internet, we expect that attack equipment will become available soon in order to facilitate a variety of attacks on MIFARE Classic infrastructures.
These attacks would allow that:
- Through overhearing successful communications between the reader of an existing infrastructure and a valid card, the data and/or the keys involved in that transaction could be read
- While overhearing failed communications between the reader of an existing infrastructure and any card, the key used by the reader during that transaction could be retrieved
- These attacks could be carried out in minutes or less and with means involving a laptop and equipment which can be built with limited material cost (100 Euros)
- Card only attacks are possible in lab environments and at considerable precalculation time. This is expected to further evolve into an attack that does not need lab conditions and may require less precalculation time.*
- In one particular "card only" attack, all keys and data can be retrieved within seconds using a laptop and some low value equipments. In this attack, the attacker needs to have a certain knowledge about the card.*
Although a residual risk remains, there are techniques and countermeasures to detect cards and data which have been tampered with, some of which are described in the confidential application notes published by NXP. We are happy to provide such application notes to the interested parties (such as system integrators and service operators) under a Non-Disclosure Agreement.
* (The vulnerabilities are courtesy to Radboud University Nijmegen, who have given early warning to NXP in order to allow timely communication such that system integrators can take measures).