[Dave Birch] Over on the Digital Money Blog, we’ve been talking about the well-known MiFare security issue. We’re interested in it over there because MiFare is used for things such as Oyster cards and there’s an overlap between contactless cash replacement and contactless transit systems. From this frame of reference, the security issue is interesting and it needs to be factored in to system procurement, card updates and that kind of thing. No-one is going to implement an electronic purse system using MiFare Classic, so the sky isn’t falling in. So, the guys are saying, well, next time we buy some cards we’ll buy MiFare Plus instead, but other than that, what’s the worry. But now it turns out that the problem may be far more troublesome than at first realised, because it turns out that the same technology (designed for mass transit) is being used by the Dutch government to secure access to important facilities:

…the Dutch Interior Ministry‘s spokesman said this is “a national security issue,” since several government agencies there use the same technology to restrict access to their facilities.

It looks as if the researchers behind the MiFare crack have done Dutch citizens a big favour by alerting them to the inappropriate use of technology — MiFare Classic was designed for mass transit, not for identity cards and access control for sensitive facilities — before some bad guys do.

It’s a genuine moral (?) dilemma. If a researcher finds a serious security error do they announce it, thus alerting the users so that they can defend themselves, or do they keep quiet about it and just inform the suppliers so that they can quickly fix it. I’m generally of the “sunshine is the best disinfectant” school, but there’s a good argument for the latter if the fix can be achieved before the bad guys might reasonably be expected to discover the same flaw. Interestingly, just such a situation has just occurred. A security flaw in the Domain Name Server (DNS) system at the heart of the Internet (actually, to a large extent it is the Internet) was dealt with this week…

Dan Kaminsky, director of penetration testing services for IOActive, found the DNS flaw earlier this year. Rather than sell the vulnerability, as some researchers have done, Kaminsky decided instead to gather the affected parties and discuss it with them first. Without disclosing any technical details, he said: “The severity is shown by the number of people who’ve gotten onboard with this patch.”

On 31 March, Kaminsky said 16 researchers gathered at Microsoft to see whether they understood what was going on, as well as what would be a fix to affect the greatest number of people worldwide, and when they would issue this fix. To address the flaw, Kaminsky said the researchers all decided to conduct a synchronised, multi-vendor release. As part of that, Microsoft in its July ‘Patch Tuesday’ released MS08-037. Cisco rolled out a patch later on Tuesday.

[From Synchronised, multi-vendor DNS patches released – ZDNet.co.uk]

So should the MiFare crackers have told NXP what the problem was, and then waited two years until all the MiFare Classic cards had been replaced by MiFare Plus cards, and then published their research? I don’t know, but I do know that NXP have started legal action to stop some of the research being published. Today, one of the researchers says that’s a bad idea (as he would).

Dutch semiconductor manufacturer NXP is making a mistake suing Radboud University Nijmegen in the Netherlands, says Karsten Nohl, a University of Virginia graduate student who worked with others to break the MIFARE cryptographic algorithm.

[From Nohl: NXP making ‘terrible decision’ : Contactless News]

I’m very interested in Karsten’s opinions, especially because we’re going to be having a little chat in Vienna at the end of September at Mobile Banking Security. As the brochure says,

In this interview style session, chairman David Birch, Consult Hyperion, will lead a more light-hearted and informal discussion with Karsten Nohl, University of Virginia, about his research team’s experiences of cracking the security of the MiFare chip.

So if there’s anything you want me to ask him…

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: