Abstract
This short paper gives a combined technical-historical account of the fate of the world’s most-used contactless smart card, the MIFARE Classic. The account concentrates on the years 2008 and 2009 when serious security flaws in the MIFARE Classic were unveiled. The story covers, besides the relevant technicalities, the risks of proprietary security mechanisms, the rights and morals wrt. publishing security vulnerabilities, and eventually the legal confrontation in court.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Including: Flavio Garcia, Jaap-Henk Hoepman, Bart Jacobs, Ravindra Kali, Vinesh Kali, Gerhard de Koning Gans, Ruben Muijrers, Peter van Rossum, Wouter Teepe, Roel Verdult.
- 2.
The CCC is a large, influential association of computer enthusiasts, hackers and digital rights activists in Germany.
- 3.
This was a premature statement, since only the throw-away version was broken at that time.
- 4.
NLNCSA is an abbreviation of The Netherlands National Communications Security Agency, in Dutch also known as Nationaal Bureau Verbindingsbeveiliging (NBV); it is comparable to the British CESG, part of GCHQ.
References
Undisclosed authors: Counter expertise review of the TNO security analysis of the Dutch OV-Chipkaart. Technical report, Royal Holloway, University of London (2008). http://tinyurl.com/5wnqvrk
Undisclosed authors: Security analysis of the Dutch OV-Chipkaart. Technical report 34643, TNO (2008). http://www.translink.nl/media/bijlagen/nieuws/TNO_ICT_-_Security_Analysis_OV-Chipkaart_-_public_report.pdf
Balasch, J., Gierlichs, B., Verdult, R., Batina, L., Verbauwhede, I.: Power analysis of atmel cryptomemory – recovering keys from secure EEPROMs. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 19–34. Springer, Heidelberg (2012)
Blom, A., de Koning Gans, G., Poll, E., de Ruiter, J., Verdult, R.: Designed to fail: a USB-connected reader for online banking. In: Jøsang, A., Carlsson, B. (eds.) NordSec 2012. LNCS, vol. 7617, pp. 1–16. Springer, Heidelberg (2012)
Cho, A.: University hackers test the right to expose security concerns. Science 332, 1322–1323 (2008)
Courtois, N.: The dark side of security by obscurity - and cloning Mifare Classic rail and building passes, anywhere, anytime. In: Fernández-Medina, E., Malek, M., Hernando, J. (eds.) SECRYPT, pp. 331–338. INSTICC Press (2009)
de Koning Gans, G.: Analysis of the MIFARE Classic used in the OV-Chipkaart project. Master’s thesis, Radboud University Nijmegen (2008)
de Koning Gans, G., Hoepman, J.-H., Garcia, F.D.: A practical attack on the MIFARE Classic. In: Grimaud, G., Standaert, F.-X. (eds.) cardis 2008. LNCS, vol. 5189, pp. 267–282. Springer, Heidelberg (2008)
Garcia, F.D., de Koning Gans, G., Muijrers, R., van Rossum, P., Verdult, R., Schreur, R.W., Jacobs, B.: Dismantling MIFARE Classic. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 97–114. Springer, Heidelberg (2008)
Garcia, F.D., de Koning Gans, G., Verdult, R.: Exposing iClass key diversification. In: 5th USENIX Workshop on Offensive Technologies (WOOT ), pp. 128–136. USENIX Association, Berkeley (2011)
Garcia, F.D., de Koning Gans, G., Roel, V.: Tutorial: Proxmark, the swiss army knife for RFID security research. Technical report, Radboud University Nijmegen (2012)
Garcia, F.D., de Koning Gans, G., Verdult, R., Meriac, M.: Dismantling iClass and iClass Elite. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 697–715. Springer, Heidelberg (2012)
Garcia, F.D., van Rossum, P., Verdult, ,R., Schreur, R.W.: Wirelessly pickpocketing a Mifare Classic card. In: IEEE Symposium on Security and Privacy (S&P ), pp. 3–15. IEEE (2009)
Garcia, F.D., van Rossum, P., Verdult, R., Schreur, R.W.: Dismantling SecureMemory, CryptoMemory and CryptoRF. In: 17th ACM Conference on Computer and Communications Security (CCS), pp. 250–259. ACM (2010)
Hoepman, J.-H., Hubbers, E., Jacobs, B., Oostdijk, M., Schreur, R.W.: Crossing borders: security and privacy issues of the european e-passport. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S. (eds.) IWSEC 2006. LNCS, vol. 4266, pp. 152–167. Springer, Heidelberg (2006)
Kasper, T., Silbermann, M., Paar, C.: All you can eat or breaking a real-world contactless payment system. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 343–350. Springer, Heidelberg (2010)
Mayes, K.E., Cid, C.: The Mifare Classic story. Inf. Secur. Tech. Rep. 15(1), 8–12 (2010)
Nohl, K., Evans, D., Starbug, S., Plötz, H.: Reverse-engineering a cryptographic RFID tag. In: USENIX Security 2008, pp. 185–193 (2008)
Nohl, K., Plötz, H.: Mifare, little security despite obscurity. Presentation at Chaos Computer Congress (2007)
Tan, W.H.: Practical attacks on the Mifare Classic. Master’s thesis, Imperial College London (2009)
van Deursen, T., Mauw, S., Radomirović, S.: mCarve: Carving attributed dump sets. In: Proceedings of 20th USENIX Security Symposium, pp. 107–121. USENIX Association, August 2011
Verdult, R.: Proof of concept, cloning the OV-chip card. Technical report, Radboud University Nijmegen (2008)
Verdult, R.: Security analysis of RFID tags. Master’s thesis, Radboud University Nijmegen (2008)
Verdult, R., de Koning Gans, G., Garcia, F.D.: A toolbox for RFID protocol analysis. In: 4th International EURASIP Workshop on RFID Technology (EURASIP RFID ). IEEE Computer Society (2012)
Verdult, R., Garcia, F.D., Balasch, J.: Gone in 360 seconds: Hijacking with Hitag2. In: 21st USENIX Security Symposium (USENIX Security 2012). USENIX Association (2012)
Verdult, R., Kooman, F.: Practical attacks on NFC enabled cell phones. In: 3rd International Workshop on Near Field Communication (NFC), pp. 77–82. IEEE (2011)
Schreur, R.W., van Rossum, P., Garcia, F.D., Teepe, W., Hoepman, J.-H., Jacobs, B., de Koning Gans, G., Verdult, R., Muijrers, R., Kali, R., Kali, V.: Security flaw in MIFARE Classic. Press release, Digital Security group, Radboud University Nijmegen, The Netherlands, March 2008
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Garcia, F.D., Jacobs, B. (2016). The Fall of a Tiny Star. In: Ryan, P., Naccache, D., Quisquater, JJ. (eds) The New Codebreakers. Lecture Notes in Computer Science(), vol 9100. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49301-4_5
Download citation
DOI: https://doi.org/10.1007/978-3-662-49301-4_5
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-49300-7
Online ISBN: 978-3-662-49301-4
eBook Packages: Computer ScienceComputer Science (R0)