Home > News > University Students in Virginia Crack Smartcard Chips

University Students in Virginia Crack Smartcard Chips

From The Tech Herald
March 4, 2008

By Steve Ragan

Just days after Cambridge researchers broke Chip & PIN in the U.K., across the pond, a graduate student at the University of Virginia along with two friends have cracked the code used for the chips inside smartcards.

The cards are a common sight in the U.S., subway passes, door badges, and car keypads all use the RFID technology that was cracked. The results of the code being decrypted means attackers can clone them, and use the cloned cards for nefarious means.

Karsten Nohl, age 26, and his two German partners dismantled the chip found inside the smartcards, and mapped out the security algorithm. They ran the formula through a computer program and broke the encryption after a few hours.

"I don't want to help attackers, but I want to inform people about the vulnerabilities of these cards," said Nohl, a Ph.D. candidate in computer engineering to the Associated Press.

The research was disclosed at Chaos Communications Congress (CCC) in Berlin. However, they will not discuss the methods used to defeat the chips. The chips that were targeted are from NXP Semiconductors, based out of the Netherlands. In a statement to the AP, NXP disputed the claims made by Nohl and his partners, arguing that they only had part of the security algorithm.

Taking the same stance as the chip makers in the U.K., NXP is downplaying the fact that someone was able to crack the algorithm, even if only in part. Nohl would not say exactly what was decrypted; the only proof was in the presentation at CCC. All of the code or some of the code, the fact is Nohl and his friends got something. That alone should give NXP pause, and make them consider upgrading security.

Edit:

This story was corrected to remove references to credit cards. The correction was made after an email from NXP.

"Karsten's claims regarding cracking the security surrounding credit card and car keys are not accurate. Their work is restricted to obtaining only part of the cryptographic algorithm found primarily in contactless transportation systems (but not credit cards nor automobile key systems), leaving the overall end-to-end security of the whole system functioning as intended. The chip level security in these contactless transportation systems is just one part of a multi-layered system," NXP said.

In 2007 at the CCC, Karsten Nohl presented problems with RFID and mentioned credit systems, keyless entry, and ignition for autos. This recent research centered on NXP made chips, and rehashed some of the earlier concerns.

Source: http://events.ccc.de/congress/2007/Fahrplan/events/2378.en.html


Original Article | Local Copy

 

More news about Karsten Nohl

 

More news about David E Evans

 

Return To List