Group Demonstrates Security Hole in Oyster Card
10 March, 2008
With the security of such a costly system called into question, the Dutch government has convened several hearings. Since special RFID card readers designed specifically to talk to the MiFare Classic are deployed in thousands of locations throughout the transit system, switching to a higher-security RFID chip may be difficult and costly.
The idea of keeping secret the design of a security system is known in the trade as "security by obscurity." It almost never works; the secret invariably leaks out and then the security is gone, Evans and Nohl said.
As a result, most security professionals espouse Kerckhoffs Principle — first published by the Dutch cryptographer Auguste Kerckhoffs in 1883 — the idea that the design of all security systems should be fully public, with the security dependent only on a secret key. Public review of security designs also tends to catch flaws during the design process, rather than after the flaws are inherent in expensive systems, such as in the Netherlands transit system, noted Nohl and Evans.
For the millions of MiFare Classic-powered smart cards used in thousands of applications, this research from Nohl's group proves that little stands in the way of future security breaks. Other RFID chips that rely on similar proprietary encryption are similarly vulnerable, said Nohl, who is currently investigating similar chips.
If more consumers understand the fundamental flaw of "proprietary security algorithms" and other marketing-speak that touts what amounts to security by obscurity, then manufacturers may start opening up more of their security designs to the light of public scrutiny, which will ultimately result in better security in our digital age.
At least that's the hope of Nohl, Evans and others.
The idea of keeping secret the design of a security system is known in the trade as "security by obscurity." It almost never works; the secret invariably leaks out and then the security is gone, Evans and Nohl said.
As a result, most security professionals espouse Kerckhoffs Principle — first published by the Dutch cryptographer Auguste Kerckhoffs in 1883 — the idea that the design of all security systems should be fully public, with the security dependent only on a secret key. Public review of security designs also tends to catch flaws during the design process, rather than after the flaws are inherent in expensive systems, such as in the Netherlands transit system, noted Nohl and Evans.
For the millions of MiFare Classic-powered smart cards used in thousands of applications, this research from Nohl's group proves that little stands in the way of future security breaks. Other RFID chips that rely on similar proprietary encryption are similarly vulnerable, said Nohl, who is currently investigating similar chips.
If more consumers understand the fundamental flaw of "proprietary security algorithms" and other marketing-speak that touts what amounts to security by obscurity, then manufacturers may start opening up more of their security designs to the light of public scrutiny, which will ultimately result in better security in our digital age.
At least that's the hope of Nohl, Evans and others.
Recommended Articles
blog comments powered by Disqus
