University researchers have discovered vulnerabilities in NXP's MIFARE Classic card, which belongs to a family of smart cards with more than 1 billion units distributed worldwide. These smart cards are used to access buildings and public transportation systems. One example is the Oyster card, which Londoners use for citywide travel.

Researchers from Radboud University in the Netherlands received the Best Practical Paper Award at the IEEE Symposium on Security and Privacy on Monday for their work demonstrating how to pickpocket the card wirelessly.

The team also filmed a video demonstration in 2008 of how to compromise the card, which is posted on YouTube and university Web pages. A cyber-criminal can use an off-the-shelf reader to make requests of the card, and while the card determines if the reader is legitimate, it reveals enough information for the hacker to decrypt information that's supposed to be secure. Then the information can be cloned for duplicate cards.

"This is exactly the type of research that I'm glad to see the security and privacy research community doing," said Tadayoshi Kohno, an assistant professor of computer science at the University of Washington. He said he isn't surprised that the Netherlands researchers' paper won an award. "There's a lot of value in doing research and uncovering vulnerabilities in important and deployed systems," he said.

The MIFARE Classic card has been scrutinized more than once. In 2007, Karsten Nohl, then a graduate student at the University of Virginia, reverse-engineered the card with colleagues to uncover vulnerabilities.


View Full Story
Hilton Collins, Staff Writer Hilton Collins  |  GT Staff Writer

By day, Hilton Collins is a staff writer for Government Technology and Emergency Management magazines who covers sustainability, cybersecurity and disaster management issues. By night, he’s a sci-fi/fantasy fanatic, and if he had to choose between comic books, movies, TV shows and novels, he’d have a brain aneurysm. He can be reached at hcollins@govtech.com and on @hiltoncollins on Twitter.