Nov 07

Reported by Jesse Emspak, New Scientist, 4 November 2011.

Chalk up another security measure that hackers can break.

The encryption protocol called Triple-Data Encryption Standard, or 3DES isĀ  supposed to be unbreakable – at least not without a lot of computing time and power. Because of this, lots of contactless smart cards – London’s Oyster Card, as well as cards used to store money and passes for mass transit systems in Chicago, Seattle and elsewhere – rely on 3DES to protect users’ accounts.

But Christof Paar at Ruhr-University Bochum has led a team that hacked 3DES using a low-cost system to break in with just a few hours of work.

The team’s method, called side channel analysis, is a lot like a safecracker listening for the clicks in an old-fashioned combination lock, or feeling for the catch in a combination padlock. Using a small probe, an RFID reader and an oscilloscope, the team measured the power consumption of the chip embedded in the card used while encrypting and decrypting its data, which allowed them to crack the code.

This allowed the team to make duplicates of the cards. The equipment, Paar says in a paper originally presented at the Workshop on Cryptographic Hardware and Embedded Systems in Japan last month, isn’t all that expensive – about $3000, well within the reach of a criminal gang.

The manufacturer of the cards, NXP, says it is aware of the vulnerability and is recommending that customers upgrade to newer versions of the cards, as it had planned to phase out the version Paar and his colleagues worked on by year-end. The company says it had planned the upgrade before Paar’s lab alerted them to the attack.

Hacking a transit card isn’t all that lucrative, but subway rides aren’t the only kind of contactless card out there. Visa and MasterCard use a system called payWave, also manufactured by NXP. Those could be hacked as well in a similar fashion. A similar type of attack was demonstrated on digital car keys in 2008, but this is the first time anyone has shown that a real-world system is vulnerable.

And while NXP says it will cease making the model of card that the German team hacked, it won’t change instantly – transit systems take some time to “recycle” cards (as people renew or lose them) and credit card companies also don’t act instantly. So odds are if you are carrying a contactless card with an NXP chip, it will be an older model for at least a few months.

Comments are closed.

preload preload preload