Team hacks RFID smartcards

Researchers at the Ruhr-University Bochum say they’ve been able to crack the security of a widely used contactless smartcard.

RFID smartcards of the type DESFire MF3ICD40 are widely employed in payment and access control systems, such as the public transport agencies in Melbourne, San Francisco and Prague. They’re manufactured by NXP, the former semiconductor division of Philips Electronics.

The cards’ security is based on Triple-DES, a cipher that is unbreakable from a purely mathematic point of view. To guarantee the necessary level of security, a secret key is stored on the integrated chip inside the card.

However, the cards can be hacked using a technique called side channel analysis.

Just like a safe, the security mechanism produces the electronic equivalent of the clicks of a mechanic lock. The power consumption of the chip during the encryption and decryption can be measured with a small probe, and its fluctuations allow hackers to deduce the full 112-bit secret key of the smartcard.

Having extracted the keys, an attacker can create an unlimited number of undetectable clones of a given card, quickly and easily, says the university’s David Oswald, taking as little as three hours and using equipment that costs just a few thousand euros.

“For our measurements, we needed a DESFire MF3ICD40 card, an RFID reader, the probe and an oscilloscope to measure the power consumption,” he says.

He says NXP has confirmed the security hole and isrecommending that customers upgrade to a newer version of the card.