If you're Radboud University's Bart
Jacobs, all that's required is a laptop and a
bit of RFID know-how.
Jacobs says that he and his team
used a "commercial laptop" to crack the encryption of and clone a widely-deployed Mifare Classic RFID smartcard.
Classic cards are often found in office-building access control systems,
wireless payment cards, and public transportation ticketing systems used by a
number of municipalities worldwide, including the London Underground.
Using a circular antenna and data
receiver hooked up to a standard laptop, Jacobs' team was able to download
encryption keys from Mifare RFID scanners stationed for ordinary use. They were
then able to steal smartcard data by waving the antenna -- which looks like a
loopy wand -- within a couple of inches of a legitimate card carrier, a process
called "skimming". Using sleight-of-hand techniques usually practiced
by pickpockets, the process of scanning a victim with the wand can be done
without their knowledge.
RFID smartcards transmit data
wirelessly over a low-strength signal usually limited to a couple of feet. A
video describing the process used for the Classic cards, originally discovered
in April, was posted to YouTube.
Jacobs' team tested the hack in two
scenarios: entering restricted-access areas of public-access, government
buildings in the Netherlands and hopping a day's worth of free rides on
London's subway system. Both tests ended successfully.
The Dutch government says it has
embarked on a campaign to replace the smartcards of its entire workforce since
learning of the attack, and stationed armed guards outside all its buildings.
Over 120,000 smartcards will have to be replaced, at a cost of "about €5
($8 USD) for each card."
"We take this extremely
seriously," said a spokesman for the Dutch Interior Ministry. "It’s a
national security issue."
The Times Online notes that
over ten million of the Mifare smartcards are sold in the UK each year,
including six million given to pensioners for free access to public
transportation. CNET's Defense in
Depth says that the same model smartcards are used in Boston
transit's CharlieCard reusable ticket system, as well as public transportation
systems in Beijing, Madrid, Hong Kong, Bangkok, and New Delhi. While newer,
more secure systems are out, writes blogger Robert Vamosi, there are still half
a billion Classic smartcards in use worldwide.
The team's page on Radboud University's website says
that they are not aware of any technical solutions, short of replacing
applicable systems, for fixing the Classic's vulnerabilities.
"The cryptography is simply not
fit for purpose," said security researcher Adam Laurie. "It’s very vulnerable
and we can expect the bad guys to hack into it soon, if they haven’t
"You only have to walk down the
street to see contactless access control systems everywhere ... it used to be a
magnetic strip, now it’s a card held up to a reader on the wall. A large
percentage of these will have Mifare technology and are very vulnerable to
attack. They should all be replaced."
With RFID finding an increasing
amount of use worldwide -- including in the United States, where it's seeing use in the next and latest generations of U.S.
passports -- privacy advocates are voicing their concern over the
technology, which can often be read at distances over 20 feet and can contain
sensitive biometric data. Recent legislation in the state of Washington outlawed
the practice of "skimming" for the purposes of identity
theft and fraud, but critics argue that the law will do little to actually stop
quote: "The cryptography is simply not fit for purpose," said security researcher Adam Laurie. "It’s very vulnerable and we can expect the bad guys to hack into it soon, if they haven’t already."