[ISN] D-Day for RFID-based transit card systems

From: InfoSec News <alerts_at_private>
Date: Tue, 7 Oct 2008 00:26:31 -0500 (CDT)

By Elinor Mills 
October 6, 2008

Want to ride the subway for free without having to jump the turnstiles? 
Well, as of Monday, you'll be able to do that by making a fake transit 

A scientific paper detailing the security flaws in the Mifare Classic 
wireless smart card chip used in transit systems around the world is 
being published by the Radboud University Nijmegen. And a researcher at 
Humboldt University in Berlin has published a full implementation of the 
algorithm (PDF) [1].

"Combining these two pieces of information, attacks can now be 
implemented by anyone," RFID researcher Karsten Nohl told CNET News. 
"All it takes is a $100 (card) reader and a little software."

Armed with the information in the papers, someone could steal the secret 
key from a Mifare Classic-based transit card and create a clone of it. 
As seen in a demonstration [2], data was collected wirelessly by merely 
brushing a card reader past someone carrying a card. The data was then 
used to create a fresh transit card that permitted free access to the 
London subway.

Subway systems in Amsterdam, Boston, and Beijing, among other cities, 
are also susceptible, as are building access control systems in Europe.

[1] http://sar.informatik.hu-berlin.de/research/publications/SAR-PR-2008-21/SAR-PR-2008-21_.pdf
[2] http://news.cnet.com/8301-10789_3-9978486-57.html


Register now for HITBSecConf2008 - Malaysia! With 
a new triple-track conference featuring 4 keynote 
speakers and over 35 international experts, this 
is the largest network security event in Asia and 
the Middle East! 
Received on Mon Oct 06 2008 - 22:26:31 PDT

This archive was generated by hypermail 2.2.0 : Mon Oct 06 2008 - 22:37:01 PDT