There is a security exploit of the widely used RFID smart card that shows hackers can get into even the strong encryption algorithms used in “touchless” smart cards with a small investment of time and equipment.
The attack on the Mifare DESfire MF3ICD40, a widely used RFID smart card, uses a templated “side-channel” attack on the card’s crypto, an approach first described in a paper written in 2002.
It requires the attacker to have the card itself, an RFID reader, and a radio probe, said researchers David Oswald and Christof Paar of Ruhr University in Germany.
Using differential power analysis, data collects from radio frequency energy that leaks out of the card (its “side channels”). Through this process, Oswald and Paar were able to retrieve the entire 112-bit secret key from the MF3ICD40, which uses Triple DES encryption.
The researchers revealed the exploit to NXP, a subsidiary of Philips Electronics, in April of this year. NXP officials said the company had already planned to cease marketing the card at the end of this year, and has been working to move customers to the MIFARE DESFire EV1, an AES-based upgrade to the RFID system. The company also played down the risk to customers, saying the attack requires hours or days of lab time and specific equipment to reproduce, and only reveals a single key.
“The impact of a successful attack depends on the end-to-end system security design of each individual infrastructure and whether diversified keys are being used. If this is the case, a stolen or lost card can be disabled simply by the operator detecting the fraud and blacklisting the card.”
There are over 3 billion DESFire cards vulnerable to the exploit in circulation. The DESfire is widely used for transit passes, as well as for authentication and entry systems at thousands of companies. Cards based on the technology have also been widely used by government agencies trying to comply with Homeland Security Presidential Directive 12, which mandates the use of smart cards for access to secure facilities and sets a government standard for smart card interoperability.
The DESfire RFID integrated circuit was the first to comply with that standard, and Philips sold the DESfire cards directly to NASA and the Department of the Interior. Other companies, such as HID Global, have resold the card technology to other agencies and contractors.