Security flaw in Mifare cards
Mark Cottle
ukcrypto at chiark.greenend.org.uk
Mon, 21 Jul 2008 11:37:25 +0100
The BBC is reporting the discovery of a security flaw in the
contactless smartcard system used by Oyster cards.
See:
http://news.bbc.co.uk/1/hi/technology/7516869.stm
When you look deeper it seems this particular exploit might not apply
to the implementation employed in Oyster (I'm not sure because I
don't know it they use the Classic or Ultralight version of the chip)
The researchers who discovered the problem state that:
"Mifare chips are used in the RFID cards for public transport that
are being introduced in the Netherlands, the 'ov-chipkaart'. Mifare
Classic is used in the subscription ov-cards, but the protocol
involved is more complicated than in the building access control
system...and we have not been able to demonstrate an attack on this
system.
An earlier attack by Roel Verdult, student at the Radboud University,
demonstrated the possibility of cloning disposable RFID public
transport cards. These disposable cards use the more basic Mifare
Ultralight chips rather than the Mifare Classic chips."
See:
http://www.ru.nl/ds/research/rfid/
and
http://www.ru.nl/english/general/radboud_university/vm/security_flaw_i
n/
The YouTube demo video is quite a nice illustration - if their kit
could be fitted into something more compact and concealable then it
looks very practical.
Mark Cottle
-----------------