Group Demonstrates Security Hole in Oyster Card
10 March, 2008
But in other more demanding applications — including credit cards, car keys, high-dollar event tickets, subway fare cards and high-security building access control keycards — the RFID's information is encrypted to prevent it from being read and potentially exploited by anyone with an RFID reader device.
Nohl and his collaborators broke the encryption on one particular RFID chip – the MiFare Classic, created by Philips, the global electronics giant. First introduced in 1994, sales in the intervening 13 years have purportedly made it the most popular single RFID chip for security applications in the world, with over a billion sold worldwide, according to NXP Semiconductors, the Philips spin-off that now manufactures the chip.
Thanks to their low cost (around 50 cents apiece) and reliability, MiFare Classic chips are used in thousands of applications, in smart cards and tickets with dozens of different brand names. The MiFare Classic chip is used by millions of people to pay fares on several major mass-transit systems around the world, including the London Underground (known there as the Oyster card) and the Boston subway (where it's called the CharlieCard). A similar RFID chip from Philips powers some keyless car entry systems.
The first barrier to breaking the encryption of RFID chips like the MiFare Classic was being able to "listen" to the information that such chips broadcast, in encrypted or unencrypted form. Until 2006, one could not buy an RFID reader that could "read" the information from any RFID. All prior RFID readers were quite specialized, like an FM radio that could only listen to one station.
The advent in 2006 of affordable (under $150) and commercially available RFID readers was the beginning of a new era of scrutiny — and vulnerability — of the security used in RFIDs.
Nohl and his collaborators broke the encryption on one particular RFID chip – the MiFare Classic, created by Philips, the global electronics giant. First introduced in 1994, sales in the intervening 13 years have purportedly made it the most popular single RFID chip for security applications in the world, with over a billion sold worldwide, according to NXP Semiconductors, the Philips spin-off that now manufactures the chip.
Thanks to their low cost (around 50 cents apiece) and reliability, MiFare Classic chips are used in thousands of applications, in smart cards and tickets with dozens of different brand names. The MiFare Classic chip is used by millions of people to pay fares on several major mass-transit systems around the world, including the London Underground (known there as the Oyster card) and the Boston subway (where it's called the CharlieCard). A similar RFID chip from Philips powers some keyless car entry systems.
The first barrier to breaking the encryption of RFID chips like the MiFare Classic was being able to "listen" to the information that such chips broadcast, in encrypted or unencrypted form. Until 2006, one could not buy an RFID reader that could "read" the information from any RFID. All prior RFID readers were quite specialized, like an FM radio that could only listen to one station.
The advent in 2006 of affordable (under $150) and commercially available RFID readers was the beginning of a new era of scrutiny — and vulnerability — of the security used in RFIDs.
Recommended Articles
blog comments powered by Disqus
