Follow us on TwitterWhat's next for Mifare?
What's next for Mifare?
On Wednesday, a video was released on YouTube demonstrating the successful hack of physical access systems based on the Mifare Classic RFID chip. There were two vectors of attack in the video; the first of them shows the retrieval of the cryptographic key from a reader hooked up to the building's access control infrastructure. The other vector saw the RFID access card being wirelessly sniffed by simply walking past a victim with a handheld scanner. The retrieved data was sufficient to create a clone, which was then used to successfully gain entry.
Detractors say that part of the problem is caused by improper implementations, and that the door reader attack should not have been possible in the first place. Others argue that it is foolhardy not to have implemented additional layers of security.
The second argument ignores the fact that access control systems based on the Mifare work on the assumption that the Mifare cannot be cloned--which is, after all, its key security feature. Hence, a card that is registered with the access control system is assumed to be held by the person it has been assigned to--unless deactivated due to being misplaced or stolen. As such, unless it's a military installation, it does not make economic sense to piggy back a secondary layer of security--and its associated cost, onto an already "secure" system.
As for the first criticism, the fact is that most access control systems based on the Mifare Classic probably are implemented in the same flawed way. Complain as you will, but it's already a done deal. As you can imagine, the hack has thrown much of the world's access control market into disarray. This situation has even prompted the Dutch government to issue a public warning on the matter.
What will happen next? Will companies and organizations that have implemented Mifare Classic obediently upgrade to the just-announced "Mifare Plus"? Or will people simply dump RFID-based access system altogether? If jumping ship, what is there to switch to anyway? Magnetic swipe cards? - Paul
Comments
Post new comment
Home
| Subscribe | Advertise | RSS |
Privacy
| Site MapTHE FIERCEMARKETS NETWORKFierceFinance | FierceFinanceIT | FierceComplianceIT | FierceHealthcare | FierceHealthFinance | FierceHealthIT | Hospital Impact | FierceMobileHealthcare | FierceCIO | FierceCIO:TechWatch | FierceContentManagement | FierceMobileIT | FierceGovernmentIT | FierceBiotech | FierceBiotech Research | FiercePharma | FierceVaccines | FierceBiotechIT | FiercePharma Manufacturing | FierceIPTV | FierceOnlineVideo | FierceTelecom | FierceVoIP | FierceBroadbandWireless | FierceDeveloper | FierceMobileContent | FierceWireless | FierceWireless:Europe© 2009 FierceMarkets, Inc. All rights reserved. |
 |
Click here to get the FierceCIO:TechWatch email newsletter for FREE!
Be the first to comment