Three weeks ago scientists published the algorithm of the Mifare Classic chip used in access control systems. Now an open-source project enables practical use of the algorithm. People could ride public transportation for free or gain unauthorized access to buildings.
The project implements an attack on the CRYPTO1-algorithm used in the highly popular Mifare Classic chip. The project is carries the cynical name Crapto1 and has been totally based on the information in a paper by scientists from the Dutch Radboud University.
The project was started by a programmer that identifies himself as Bla. He claims to be studying RFID and figured that implementing the algorithm looked like fun. "And the stats in the different publications were pretty amazing. I wanted to see it in action," he wrote in an e-mail interview with Webwereld, a Dutch IDG affiliate.
According to his account he never planned to publish the source code, but decided to do so when someone suggested it. His basic idea is to spread knowledge and not cause harm. "My code is meant for educational purposes. I'm not encouraging anybody to break any laws," he wrote.
The knowledge in itself isn't knew and researchers have demonstrated how to enter buildings by cloning cards, without releasing any further details or software.
Evil or not, the code is the long-anticipated missing link between reading the Mifare Classic chips and actually using them to the full extent. Combined with readily available hardware, users have all the tools to execute a successful attack. There are RFID readers available online for less than US$150, such as the Proxmark III or the OpenPCD, for which the accompanying software is available as open source.
With the software in hand anyone with some technical skills can retrieve the secret key of a system and thus use it to gain access to buildings. For the public transportation systems the attack paves the way for executing a denial-of-service attack by damaging cards or obtaining free travel by altering or cloning data.
The latter was the fear of Massachusetts Bay Transportation Authority (MBTA) when they sued three students from Massachusetts Institute of Technology (MIT) in order to prevent them from sharing technical details of the flawed CharlieCard. In court documents the company said it was concerned by claims that people could ride for free. Earlier, Dutch company Trans Link Systems, responsible for introducing a Mifare Classic transportation card in the Netherlands, had added fraud detection in the back office to combat anticipated fraudulent use of the system.
While fraud mitigation may work on these type of systems, they will also harm innocent travelers, making for a successful denial-of-service attack. Using the software, miscreants could also overwrite existing cards with bogus information, thus disrupting regular travel.
That such a thing could happen was proven in London, where over 40,000 Oyster Cards used on the public transport network were trashed when a failed software update caused readers to wipe out relevant data from the cards.
It was widely anticipated that open source software would ultimately surface after researchers in Germany and the Netherlands cracked the Mifare Classic algorithm, and chip manufacturer NXP tried and failed to prevent researchers from the Netherlands from publishing their results.
Researchers from Germany already published some source code in a paper on Oct. 7. Crapto1 takes that information a step further by making a fully functional open source project.
In the Netherlands the software has already caused a stir. The Minister of the Interior and the Secretary of Transportation have been ordered to answer questions in Parliament on Tuesday.