The perfect clone: Researchers hack RFID smartcards

Nov 03, 2011

Professional safecrackers use a stethoscope to find the correct combination by listening to the clicks of the lock. Researchers at the Ruhr-University Bochum have now demonstrated how to bypass the security mechanisms of a widely used contactless smartcard in a similar way. Employing so-called "Side-Channel Analysis" the researchers of the Chair for Embedded Security (Prof. Dr.-Ing. Christof Paar) can break the cryptography of millions of cards that are used all around the world.

RFID smartcards () of the type DESFire MF3ICD40 are widely employed in payment and access control systems. The of these cards is based on Triple-DES, a cipher that is unbreakable from a purely mathematic point of view. DESFire cards are for instance used by the public transport agencies in Melbourne, San Francisco and Prague. The DESFire MF3ICD40 is manufactured by NXP, the former semiconductor division of .

A person is identified as a passenger, employee or customer when his RFID smartcard is placed in the proximity of a reader. To guarantee the necessary level of security, a secret key is stored on the integrated chip inside the card. But just like for the safe, the security mechanism produces the electronic equivalent of the clicks of a mechanic lock. "We measured the of the chip during the encryption and decryption with a small probe", says David Oswald. The fluctuations of the electro-magnetic field allow the researchers to conclude to the full 112-bit of the smartcard.

Having extracted the keys, an attacker can create an unlimited number of undetectable clones of a given card. The required time and effort are quite low: "For our measurements, we needed a DESFire MF3ICD40 card, an RFID reader, the probe and an oscilloscope to measure the power consumption", says Oswald. This equipment only costs a few thousand euros. Having obtained knowledge on the characteristic properties of the smartcard, the attack takes three to seven hours. The manufacturer NXP confirmed the security hole in the meanwhile and recommends his customers to upgrade to a newer version of the card.

Already back in 2008, researchers around Prof. Dr.-Ing. Christof Paar used Side-Channel Analysis to break supposedly secure systems. Three years ago, garage and car doors "mysteriously" opened for the researchers of the Chair for Embedded Security. The employed KeeLoq RFID system – which customers and manufacturers trusted blindly before – turned out to be highly susceptible to Side-Channel Analysis.

Explore further: Greater safety and security at Europe's train stations

More information: www.emsec.rub.de/

Provided by Ruhr-University Bochum

not rated yet
add to favorites email to friend print save as pdf

Related Stories

Using your car key as a credit card?

Oct 22, 2008

(PhysOrg.com) -- BMW Group Research and Technology and NXP Semiconductors, the independent semiconductor company founded by Philips, have unveiled a prototype of the world’s first multifunctional car key. The prototype ...

Safer swiping while voting and globetrotting

Apr 15, 2010

Since 2007, every new U.S. passport has been outfitted with a computer chip. Embedded in the back cover of the passport, the "e-passport" contains biometric data, electronic fingerprints and pictures of the ...

Super-smart USB card delivers rich multimedia content

Oct 13, 2005

A powerful new platform that delivers high computing power and high channel capacity could help meet consumer demand for multimedia content via PCs, interactive TV and mobile phones. The FULL SPEED project that developed ...

Recommended for you

Greater safety and security at Europe's train stations

20 hours ago

When a suspicious individual fleas on a bus or by train, then things usually get tough for the police. This is because the security systems of the various transportation companies and security services are ...

Fingerprints for freight items

21 hours ago

Security is a top priority in air freight logistics but screening procedures can be very time consuming and costly. Fraunhofer researchers intend to boost efficiency with a new approach to digital logistics, ...

On the way to a safe and secure smart home

21 hours ago

A growing number of household operations can be managed via the Internet. Today's "Smart Home" promises efficient building management. But often the systems are not secure and can only be retrofitted at great ...

DIY glove-based tutor indicates muscle-memory potential

Aug 31, 2014

A senior editor at IEEE Spectrum worked on a DIY project that enabled his 11-year-old son to improve his touch typing by use of a vibrating glove. His son was already "pretty quick on the keyboard," said ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

rwinners
not rated yet Nov 04, 2011
Nice to know that a card cannot be 'scanned' in my wallet.