Hackers claim RFID smart-card hack, but vendor disagrees
A spokesman for NXP Semiconductors, a Netherlands-based company that also operates in the United States, told SCMagazineUS.com on Tuesday that the chip the hacker said he had broken into is not used in so-called smart cards, such as credit cards and subway tickets.
The hacker, 26-year-old University of Virginia graduate student Karsten Nohl, said at the Chaos Communications Congress hacker convention in Berlin, that he and two German partners broke the chip's security encryption algorithm. The trio did not release details of how they performed their intrusion, but noted in the Chaos presentation that if they could do it, others could as well.
But NXP disagrees with the findings.
"The chip in question is only one in a family of ICs [integrated circuits] for contactless cards applications but not -- as erroneously referred to in the presentation -- targeting ePassport, traditional banking or car security applications," the company said in a statement to SCMagazineUS.com.
Rather, the chip, which the company said is the "MiFare Classic," is used almost exclusively in contactless electronic toll-collection systems, such as the Bay Area's FasTrack system and in security badges for building access applications, the spokesman said.
Nohl said that the NXP Semiconductors chip is used in smart card applications, thus putting the financial accounts of users of the cards at risk to exploitation. Credit cards containing these chips permit payment without having to swipe a card.
NXP denied the hackers' assertions.
The chip is "absolutely not used in any credit or debit card application," the spokesman told SCMagazineUS.com. "It's used strictly in transportation systems and has a very low level of security because it's very inexpensive. It's not feasible to put the same chip in a credit card as in a transportation card."
Nohl had done a "partial algorithm hack of the security around the chip itself, but not the entire system," the spokesman admitted. "He's obtained part of the cryptographic algorithm, but the overall multiple layers of the end-to-end security of the system is still functioning as it should be."
Even if this RFID chip was targeted to obtain private data from smart cards, the liability for any losses consumers suffered as a result of a breach would fall on the financial institutions issuing the cards, Jennifer Albornoz Mulligan, an analyst with Forrester Research, told SCMagazineUS.com on Wednesday.
“Financial institutions are the ones who have more to fear about this issue,” she said.
Mulligan, meanwhile, said the hack was believable considering RFID chips have limited memory and power capabilities. The small amount of memory and power available on an RFID limit the size of the encryption algorithm used with them, she added, adding that research is ongoing to find new algorithms that would be more secure.
Security in RFID systems is all about tradeoffs between technical security measures and costs, Pete Poorman, a principal analyst for RFID and contactless technologies at ABI Research, told SCMagazineUS.com.
Moreover, various RFID systems, he said, are designed to be read from varying distances. An RFID chip in a credit card, for instance, should not be readable from more than a few inches, while one used in a toll-collection system would be readable from several yards.
Poorman added that even should a hacker break the cryptographic code on an RFID chip on a smart card, that may not lead to immediate financial gain.
“If all the information on the card is merely an identifier, someone would need access to the back-end database to exploit the account,” he said.