On the heels of two independent research teams demonstrating hacks of the Mifare Classic RFID chip algorithm, the Dutch government has issued a public warning about the security of access keys based on it. The minister of interior affairs, in a letter to parliament, wrote that there are plans for government institutions to take “additional security measures to safeguard security.”

It is no laughing matter, as the technology is used by transit operators in London, Boston, and the Netherlands. It is also used in access cards in numerous other organizations around the world.

Excerpt from PC World:

NXP developed the Mifare Classic RFID (radio frequency identification) chip, which is used in 2 million Dutch building access passes, said ter Horst. One billion passes with the technology have been distributed worldwide, making the security risk a global problem. A spokesperson for the ministry told Webwereld, an IDG affiliate, that it had not yet notified other countries.

  • German researchers Karsten Nohl and Henryk Plötz have published a paper on how to crack the chip’s encryption (pdf)
  • Bart Jacobs, an information security professor, have released the video which I have embedded above.

The video demonstrates how cryptography could be retrieved from readers attached to access control infrastructure or even sniffed simply by walking pass a Mifare RFID card holder. Duplicate cards are then cloned to gain unauthorized entry. What is really scary is the ease with which the attacks are successfully executed.

The interesting thing here is that manufacturer, NXP Semiconductors, has quickly announced that there is a new version of the Mifare chip called the Mifare Plus with enhanced security – 128-bit encryption over the original 48-bit, to be exact.

The pertinent question here is why wasn’t the Mifare Plus introduced earlier? Now, it is not known how much this enhanced card will eventually cost, but reports say that the original Mifare Classic sold for less than a single dollar. Hence, the low cost of the Mifare Classic might have been a factor here.