THE DARK SIDE OF SECURITY BY OBSCURITY - and Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime

Nicolas T. Courtois

Research.Publish.Connect.

*Please fill out at least one Field. *Value must be an number!

Title:
ISBN:
Year:
Acronym:
Subject:

Advanced Search Proceedings Search

If you're looking for an exact phrase use quotation marks on text fields.

*Please fill out at least one Field.

Title:
Author:
Affiliation:
Subject:

Advanced Search Papers Search

If you're looking for an exact phrase use quotation marks on text fields.

*Please fill out at least one Field.

Name:
Affiliation:
Country:
Conference:
Subject:

Advanced Search Authors Search

If you're looking for an exact phrase use quotation marks on text fields.

*Please fill out at least one Field.

Name:
Country:
Subject:

Advanced Search Affiliations Search

If you're looking for an exact phrase use quotation marks on text fields.

Proceedings

Proceedings Search *Please fill out at least one Field. *Value must be an number!

Title:
ISBN:
Year:
Acronym:
Subject:

Advanced Search Proceedings Search

If you're looking for an exact phrase use quotation marks on text fields.

Papers

Papers Search *Please fill out at least one Field.

Title:
Author:
Affiliation:
Subject:

Advanced Search Papers Search

If you're looking for an exact phrase use quotation marks on text fields.

Authors

Authors Search *Please fill out at least one Field.

Name:
Affiliation:
Country:
Conference:
Subject:

Advanced Search Authors Search

If you're looking for an exact phrase use quotation marks on text fields.

Advanced Search

Paper

THE DARK SIDE OF SECURITY BY OBSCURITY - and Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime

Topics: Ethical and Legal Implications; Information Hiding; Insider Threats and Countermeasures; Intrusion Detection and Vulnerability Assessment; Smart Card Security

In Proceedings of the International Conference on Security and Cryptography - Volume 0ICETE, 331-338, 2009 , Milan, Italy

Author: Nicolas T. Courtois

Affiliation: University College London, United Kingdom

Keyword(s): Access control, RFID, Contactless smart cards, MiFare Classic, London Oyster card, OV-Chipkaart, Industrial secrets, Secure hardware devices, Reverse-engineering, Electronic subversion, Covert channels, Implementation backdoors, Critical application development management, Information assurance, Crime science.

Related Ontology Subjects/Areas/Topics: Cryptographic Techniques and Key Management ; Ethical and Legal Implications of Security and Privacy ; Information and Systems Security ; Information Assurance ; Information Hiding ; Insider Threats and Countermeasures ; Intrusion Detection & Prevention ; Smart Card Security

Abstract: MiFare Classic is the most popular contactless smart card with about 200 millions copies in circulation worldwide. At Esorics 2008 Dutch researchers showed that the underlying cipher Crypto-1 can be cracked in as little as 0.1 seconds if the attacker can access or eavesdrop the RF communications with the (genuine) reader. We discovered that a MiFare classic card can be cloned in a much more practical card-only scenario, where the attacker only needs to be in the proximity of the card for a number of minutes, therefore making usurpation of identity through pass cloning feasible at any moment and under any circumstances. For example, anybody sitting next to the victim on a train or on a plane is now be able to clone his/her pass. Other researchers have also (independently from us) discovered this vulnerability (Garcia et al., 2009) however our attack requires less queries to the card and does not require any precomputation. In addition, we discovered that certain versions or clones of MiFare Classic are even weaker, and can be cloned in 1 second. The main security vulnerability that we need to address with regard to MiFare Classic is not about cryptography, RFID protocols and software vulnerabilities. It is a systemic one: we need to understand how much our economy is vulnerable to sophisticated forms of electronic subversion where potentially one smart card developer can intentionally (or not), but quite easily in fact, compromise the security of governments, businesses and financial institutions worldwide. (More)

CC BY-NC-ND 4.0

Guest: Register as new SciTePress user now for free.

SciTePress user: please login.

My Papers

You are not signed in, therefore limits apply to your IP address 3.149.250.1

In the current month:

Recent papers: 100 available of 100 total

2⁺ years older papers: 200 available of 200 total

Paper citation in several formats:

T. Courtois, N. (2009). THE DARK SIDE OF SECURITY BY OBSCURITY - and Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime. In Proceedings of the International Conference on Security and Cryptography (ICETE 2009) - SECRYPT; ISBN 978-989-674-005-4; ISSN 2184-3236, SciTePress, pages 331-338. DOI: 10.5220/0002238003310338

@conference{secrypt09,
author={Nicolas {T. Courtois}.},
title={THE DARK SIDE OF SECURITY BY OBSCURITY - and Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime},
booktitle={Proceedings of the International Conference on Security and Cryptography (ICETE 2009) - SECRYPT},
year={2009},
pages={331-338},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002238003310338},
isbn={978-989-674-005-4},
issn={2184-3236},
}

TY - CONF

JO - Proceedings of the International Conference on Security and Cryptography (ICETE 2009) - SECRYPT
TI - THE DARK SIDE OF SECURITY BY OBSCURITY - and Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime
SN - 978-989-674-005-4
IS - 2184-3236
AU - T. Courtois, N.
PY - 2009
SP - 331
EP - 338
DO - 10.5220/0002238003310338
PB - SciTePress