The real lessons of the Mifare Classic card hack - Tim Richards, Aconite

Over 1bn Mifare cards have been deployed around the world since 1994 in myriad and varied schemes, the chip being one of the most popular smart card types in use in the world today. Yet despite this it took until the end of 2007 for a couple of academics to announce at a hacker's conference that they had demonstrated that the Mifare Classic chip's security was flawed.

You could be forgiven for wondering what the massed legions of security analysts have been doing for the previous thirteen years. At the very least it hardly reflects well on an industry that the world relies on in an age where our very privacy is dependent on the security of the IT systems that surround us: the more so because the attacks on Mifare Classic do not appear to be especially complex.

The truth, of course, is less simple than the headline message and the issue here is not whether the Mifare Classic chip is weak in a cryptographic sense - it probably is, but that's not the main issue - but whether the systems that use the chip are so reliant on it that this attack fundamentally weakens them to the point where they are vulnerable to wider attacks.

Good system security design should always take into account the possibility of a major component being compromised or a cryptographic key being exposed and offer ways of dealing with this. Bad system security design simply assumes that the chip is secure and leads to system exposure if the chip security is compromised.

Assuming that a smart card chip is totally secure is just about the most fundamental mistake that any system security designer could ever make.

The economics of security

Nothing that man can make is totally secure, it's simply a question of how much money it takes to break it. If it takes a million dollars to break a chip so you can take a single trip on the London Underground then no one will really care, but if it takes a dollar to break a million chips then that's a problem.

However, the problem is more complex than pure economics. A million dollars to break a chip to take a trip to Oxford Circus underground station is stupidity, or vanity, but a million dollars to break the same chip to gain entry to the Pentagon or to the backrooms of Heathrow is an entirely different matter. That's why the Dutch government posted armed guards on its buildings when this weakness was uncovered while transit suppliers have been relatively relaxed.

Does this demonstrate that all systems using smart cards are fundamentally flawed? Absolutely not. What is does do is demonstrate that specific systems using smart cards are specifically flawed. Well designed systems should not be reliant on one sort of smart card - it should be possible to swap out one sort of card and replace it with another.

Of course there's a cost to this but changing your cards should be the main impact. The trouble is that a lot of systems are built around one specific type of smart card and if you were unlucky enough to choose the Mifare Classic card you may now be looking at a lot of money to upgrade your systems to work with some other type of card. Of course no one would be silly enough to repeat the same mistake again, would they? Well, don't bet against it.

Uncovering the secrets of the Mifare Classic card

The underlying problem with the Mifare Classic card is that its security appears to rely on obscurity - once you know how the thing works then it's a matter of grunt work to figure out how to break it. It ought to be possible to publish how a well designed smart card security architecture works without exposing the underlying system to any undue threat.

Asymmetric algorithms like RSA or symmetric ones like DES (or Triple DES or AES) don't rely on keeping the algorithms secret; they simply hide-away the cryptographic keys in such a way that no human has access to them. These algorithms are the basis for global schemes like EMV Chip & PIN or the ICAO e-Passport standards.

That doesn't mean that the chips involved in these schemes are unbreakable, far from it - put enough money in and you'll get something out. However, the schemes are designed with this in mind, they limit the scope of any attack and the systems - not the chips - are designed to identify and fix any problems. This doesn't mean that a crack of a credit card or a passport isn't an issue but at least the chip adds to the overall security rather than potentially weakening it.

Nevertheless, if you look at the system security in all of these schemes - transit, government identity, passports, credit cards - and if you dig hard enough at the security you'll find failures to imagine the worst scenarios. People defend against yesterday's attacks and fail to see what will happen tomorrow - because, by definition, they can't imagine it. To deal with this it's necessary to build systems that don't focus on specific imaginable threats but which can be used to build more general defenses. Smart cards actually lend themselves to this approach because many of them can actually be programmed like a computer. The Mifare Classic isn't one of these types of chip: this makes it cheap - which is probably why so many systems have been built using it.

The solution is designing a flexible smart card system...

The main problem for all issuers sending out smart card chips is that of static thinking: they build systems expecting that nothing will ever change but fail to account for the possibility of the unexpected. Designing properly secure smart card systems is about more than choosing a secure smart card chip, it's about building a security architecture that is resilient in the face of the failure of any individual component (including an individual smart card) and it's about building flexibility into the backend systems so that should the worst occur you can change your chips or the contents of your chip.

All of this is really commonsense but unfortunately commonsense is sometimes hidden under layers of security jargon and, invariably, costs extra money without immediately adding to the bottom line. The problem is, of course, that by not spending a little extra money up-front you may find yourself spending a fortune later on.

...and in EMV chip technology

The worst thing about the type of problem that the Mifare Classic attack is causing for some of the systems using it is that for the most part the systems and chips to have prevented it are widely available. For some systems Mifare Classic is fine, whether it's flawed or not, but otherwise using EMV type technology to manage card contents and payment ought to be standard. Using chips that use standard cryptographic algorithms ought to be standard. Where economically possible using programmable chips rather than memory-type chips like Mifare Classic - which at least allows functionality to be adjusted on new cards - ought to be standard. For preference using re-programmable multi-application chips like GlobalPlatform JavaCards or MULTOS ought to be standard.

Above all, designing the systems that use these chips and algorithms to allow them to be modified in the face of Black Swan type unimaginable attacks ought to be standard. The only prediction we can make about the next attack is that we won't foresee it coming - the security industry couldn't foresee what now looks like an obvious and straightforward attack on the Mifare Classic card so expecting it to see anything a bit less obvious is madly optimistic - and we need to prepare by building systems to be flexible, rather than simply fixing the latest problem to emerge.

In conclusion

The Mifare Classic attack should be a wake-up call for the issuers and users of smartcards. The next time a scheme is successfully attacked no executive or security manager should really be allowed to claim that it was a surprise, no matter how unlikely the attack. After all not every scheme can afford to post armed guards on every point of use.

Tim Richards is a systems and security consultant with seventeen years experience in the smart card industry. Tim now provides Aconite's customers with specialist and technical analysis consultancy specializing in the development and maintenance of secure smart card systems.