14 DAY TRIAL // The RFID encryption scheme used in the chips manufactured by Philips Semiconductors spin-off NXP has been reportedly defeated by a group of security experts from the Chaos Computer Club (CCC) in a joint collaboration with a team from the University of Virginia.
According to the report, the crackers not only could read encrypted data, but also they were able to perform additional operations, such as recharging payment cards, cloning RFID cards and even generating new users.
University of Virginia graduate student Karsten Nohl, along with several other colleagues, managed to intercept the data broadcasts from the RFID chips connected to average RFID readers. The chips were then dissected into thin layers, then analyzed with a custom-build optical recognition software application in order to outline the algorithms that generate the encryption keys.
The affected series of RFID tags is the Mifare Classic family, which is extremely popular on the market and, of course, is sold in large volume.
According to a spokesperson for the NXP Austria competence center, the built-in memory chip supports data storage capacities of between 1 to 4 KB. Despite its popularity, the NXP RFID tags are not as safe as their manufacturer claims, as the built-in proprietary 48-bit encoding scheme has not been updated in more than a decade.
The spokesperson claims that the company also ships other RFID chips with improved security algorithms, including Triple DES or AES. However, the manufacturer announced that it will inform its customers about the incident in due time, in order to avoid security breaches and exploitation of the card's security flaws among its customers.
"We will inform our customers about the incident", the spokesman said. "There are certainly applications for which the Classic can be used. We have not plans to withdraw the product from the market," he concluded.
More than that, the company outlined that the RFID chips in the Mifare Classic family are not intended for protecting security-critical data such as passports or electronic health cards.