Are smart cards insecure if Mifare Classic RFID encryption is cracked?

Are smart cards insecure if Mifare Classic RFID encryption is cracked?

I recently read that the encryption on the Mifare Classic RFID technology has been cracked. Since Mifare is used in millions of smart cards, is this a legitimate concern for enterprises? Does it put the future security of smart cards or RFID in jeopardy?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

The cracking of a widely used smart card, like those with the Mifare Classic RFID chip, is definitely a cause for concern. It could expose facilities worldwide to malicious access, since 1 billion passes have been distributed outside its original base in the Netherlands.

But the issue goes far beyond the Mifare chip to the security of smart cards and RFID chips in general. The technology definitely has some security chinks in its armor, but it would be premature to say it's in jeopardy because of security issues. The technology is growing in popularity and ease of use, but its security isn't quite mature yet.

Smart cards and RFID chips, on the surface, are supposed to be stronger forms of authentication than, say, user IDs and passwords, which are easy to steal and guess. But on the other hand, the chips on cards also have weaknesses. Over the past two years, several researchers in the UK, Germany and the Netherlands have designed ways to clone chips and cards, steal data from radio signals emanating from RFID chips or break the encryption algorithms on chips. In some cases, they've used homemade devices that can be cheaply constructed from readily available materials.

RFID chips have been criticized heavily as being the most exposed. The chips are now used on credit cards and some U.S. passports, opening up users to potential credit card fraud or identity theft. The issue is that signals from RFID chips frequently aren't encrypted and can be easily captured by readers. Someone with an RFID credit card in their wallet could unwittingly lose his or her account number just by walking past a malicious reader a few feet away.

The other issue with both smart cards and RFID chips is that they can only hold a limited number of encryption keys due to their small size and capacity, making their algorithms susceptible to cracking.

The security issues that need to be resolved are encryption of RFID signals, shielding of RFID signals from malicious access and better encryption of chips on smart cards. Until then, simply cutting out the chips on credit cards could make them inoperable and would invalidate a passport. But despite those challenges, security is still playing catch up as the technology's usage and popularity continues to grow.

More information:

This was first published in August 2008