The police are likely to quickly arrest anyone who tries to sell cloned cards on any scale.
Mifare cracker software#
But it requires an RFID reader and a small piece of software which, while feasible for a techie, are too complicated for the average fare dodger. Cloning takes only a few seconds, and the thief only has to brush up against someone carrying a legitimate Oyster card.
It’s unclear how this break will affect Transport for London. This court ruling encourages companies to build security properly rather than relying on shoddy design and secrecy, and discourages them from promising security based on their ability to threaten researchers.
Mifare cracker how to#
NXP’s security was so bad because customers didn’t know how to evaluate security: either they don’t know what questions to ask, or didn’t know enough to distrust the marketing answers they were given. Companies will only design security as good as their customers know to ask for. Publication of this attack might be expensive for NXP and its customers, but it’s good for security overall. Is there any doubt that the bad guys already know about this, or will soon enough? A Chinese company even sells a compatible chip. Other researchers had already exposed Mifare’s lousy security. Mifare’s security was based on the belief that no one would discover how it worked that’s why NXP had to muzzle the Dutch researchers. Any competent cryptographer would have designed Mifare’s security with an open and public design.
Whenever you see an organization claiming that design secrecy is necessary for security - in ID cards, in voting machines, in airport security - it invariably means that its security is lousy and it has no choice but to hide it. More generally, the notion that secrecy supports security is inherently flawed. They called disclosure of the attack “irresponsible,” warned that it will cause “immense damages,” and claimed that it “will jeopardize the security of assets protected with systems incorporating the Mifare IC.” The Dutch court would have none of it: “Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings.”Įxactly right. The second paper is the one that NXP sued over. Their two papers (one is already online) will be published at two conferences this autumn. They demonstrated the attack by riding the Underground for free, and by breaking into a building. The group that broke Mifare Classic is from Radboud University Nijmegen in the Netherlands. NXP attempted to deal with this embarrassment by keeping the design secret. Anyone with any security experience would be embarrassed to put his name to the design. This is not an exaggeration it’s kindergarten cryptography. The security of Mifare Classic is terrible. That chip, the “Mifare Classic” chip, is used in hundreds of other transport systems as well - Boston, Los Angeles, Brisbane, Amsterdam, Taipei, Shanghai, Rio de Janeiro - and as an access pass in thousands of companies, schools, hospitals, and government buildings around Britain and the rest of the world. Every Oyster card has a radio-frequency identification chip that communicates with readers mounted on the ticket barrier. And the publication of this serious vulnerability actually makes us all safer in the long run. People might be able to use this information to ride for free, but the sky won’t be falling. NXP Semiconductors, the Philips spin-off that makes the system, lost a court battle to prevent the researchers from publishing.
London’s Oyster card has been cracked, and the final details will become public in October.
0 kommentar(er)
