UCL Discovery
UCL home » Library Services » Electronic resources » UCL Discovery

The dark side of security by obscurity: And cloning MiFare classic rail and building passes, anywhere, anytime

Courtois, NT; (2009) The dark side of security by obscurity: And cloning MiFare classic rail and building passes, anywhere, anytime. In: (pp. pp. 331-338).

[thumbnail of courtois_secrypt09.pdf] PDF
courtois_secrypt09.pdf
Access restricted to UNSPECIFIED
Available under License : See the attached licence file.
Download (175kB)
[thumbnail of licence] PDF (licence)
RPS deposit licence.pdf
Access restricted to UNSPECIFIED
Download (95kB)

Abstract

MiFare Classic is the most popular contactless smart card with about 200 millions copies in circulation worldwide. At Esorics 2008 Dutch researchers showed that the underlying cipher Crypto-1 can be cracked in as little as 0.1 seconds if the attacker can access or eavesdrop the RF communications with the (genuine) reader. We discovered that a MiFare classic card can be cloned in a much more practical card-only scenario, where the attacker only needs to be in the proximity of the card for a number of minutes, therefore making usurpation of identity through pass cloning feasible at any moment and under any circumstances. For example, anybody sitting next to the victim on a train or on a plane is now be able to clone his/her pass. Other researchers have also (independently from us) discovered this vulnerability (Garcia et al., 2009) however our attack requires less queries to the card and does not require any precomputation. In addition, we discovered that certain versions or clones of MiFare Classic are even weaker, and can be cloned in 1 second. The main security vulnerability that we need to address with regard to MiFare Classic is not about cryptography, RFID protocols and software vulnerabilities. It is a systemic one: we need to understand how much our economy is vulnerable to sophisticated forms of electronic subversion where potentially one smart card developer can intentionally (or not), but quite easily in fact, compromise the security of governments, businesses and financial institutions worldwide.

Type: Proceedings paper
Title: The dark side of security by obscurity: And cloning MiFare classic rail and building passes, anywhere, anytime
ISBN-13: 9789896740054
UCL classification: UCL
UCL > Provost and Vice Provost Offices > UCL BEAMS
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science
URI: https://discovery.ucl.ac.uk/id/eprint/20439
Downloads since deposit
1Download
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item