http://news.cnet.com/8301-1009_3-10059605-83.html
By Elinor Mills
Security
CNET News
October 6, 2008
Want to ride the subway for free without having to jump the turnstiles?
Well, as of Monday, you'll be able to do that by making a fake transit
card.
A scientific paper detailing the security flaws in the Mifare Classic
wireless smart card chip used in transit systems around the world is
being published by the Radboud University Nijmegen. And a researcher at
Humboldt University in Berlin has published a full implementation of the
algorithm (PDF) [1].
"Combining these two pieces of information, attacks can now be
implemented by anyone," RFID researcher Karsten Nohl told CNET News.
"All it takes is a $100 (card) reader and a little software."
Armed with the information in the papers, someone could steal the secret
key from a Mifare Classic-based transit card and create a clone of it.
As seen in a demonstration [2], data was collected wirelessly by merely
brushing a card reader past someone carrying a card. The data was then
used to create a fresh transit card that permitted free access to the
London subway.
Subway systems in Amsterdam, Boston, and Beijing, among other cities,
are also susceptible, as are building access control systems in Europe.
[1] http://sar.informatik.hu-berlin.de/research/publications/SAR-PR-2008-21/SAR-PR-2008-21_.pdf
[2] http://news.cnet.com/8301-10789_3-9978486-57.html
[...]
Received on Tue Oct 7 00:26:31 2008