Via comp.risks, across the wire the electric message came: German students crack encryption on over 2bn RFID smartcards made by NXP Semiconductor. The cards in question are NXP’s MiFare Classic type, and are used for public transport….but also for access control in sensitive government installations, it turns out. Inevitably, NXP threw up its hands – who could have imagined anyone would use our product against the label?
What is especially interesting is that an unnamed European country has placed troops at facilities that were supposedly secured by MiFare RFID locks; it’s a real HALTING STATE moment. Time to break out the sealed bags of PAYG mobiles and bottled water, start the alerting tree, and move to your crashout location. (I know civil servants who actually did draw new mobiles, on BT Cellnet as was, for the millenium weekend.)
Of course, as the pesky student points out, it’s an inherent weakness of RFID that it’s, well, radio frequency identification; everything is public, so if the crypto doesn’t work, the whole system becomes a menace.
Update: The mighty Bruce Schneier has much more. The cards are the ones used in the Tube.