RFID Crack Affects 2 Billion Smart Cards
Think of RFID (Radio Frequency I.D.) as a bar code that can be read at a distance, instead of having to be scanned directly. RFID is becoming a pervasive feature in the American defense supply chain, and is beginning to make inroads into other markets as well. While supply chain solutions remain its main use, it is also a common feature in security solutions like ‘smart’ access cards. That latter use has led to a number of problems lately, including the posting of armed guards to secure sensitive government facilities in Europe.
NXP Semiconductors is currently filing suit in The Netherlands against Radboud University in Nijmegen, in an attempt to keep its researchers from publishing a paper about reported security flaws in NXP’s widely distributed MiFare Classic RFID chip. The chip’s 48-bit encryption was high end in 1994, but is considered very vulnerable by modern standards. The chip’s security flaws were publicized in a 2007 crack, but the downside of hardware-based security systems is the expense and time involved in changing them. In light of recent events, government agencies employing smart cards will need to factor that unpleasant reality into their purchasing decisions. Ken van Wyk, principal consultant at KRvW Associates is quoted by Computerworld on this issue:
“It turns out it’s a pretty huge deal… There are a lot of these things floating around out there. Using it for building locks is the biggy, especially when it’s used in sensitive government facilities – and I know for a fact it’s being used in sensitive government facilities.” Van Wyk noted in March that one European country had deployed soldiers to guard some government facilities that used the MiFare Classic chip in their smart door key cards… “You have an RFID chip deployed by the millions,” said van Wyk. “Switching that around is extremely costly and won’t happen very quickly. It could be it will take them months or a year to do that.”