Within one week, two icons of RFID security have been toppled: First, the Chaos Computer Club (CCC) cracked the encryption scheme of NXPs Mifare Classic chip which is used in countless payment and access control solutions, and then Microchip's Keeloq encryption system has been deciphered. Again, the target system was not an exotic singular device; quite the contrary. Keeloq secures the access to vehicles of some of the largest vendors including Chrysler, General Motors, Fiat, Lexus, Volvo and Volkswagen plus garage doors and other radio-controlled doors in large quantities. Easy to imagine that the owners of such cars now are quite alarmed in line with automotive OEMs and building automation designers.
It is not really a reassurance that both hacks despite the statement from CCC that it took little effort to outmaneuver the system required significant engineering effort and computing power. Sooner or later, an instruction guide how to crack these systems will be posted in the internet and then it is only a matter of time until some obsucrantists will execute them in order to make money with it.
The events are new instances for the obviously ever-ongoing ping pong game between security engineers and cryptography experts at one side and hackers at the other one. Most encryption systems ballyhooed as absolutely secure have been cracked after some time; both sides build up ever more powerful encoding systems at one side and hacking tools at the other one. Biometry is not an answer since we are in the segment of machine-to-machine communication where fingerprints or iris measurements simply are not available.
Nevertheless, both cracked systems have one aspect in common: Both were proprietary systems. Proprietary systems do not per se offer less security. However, all open systems such as DES or AES are less likely to be cracked: Simply through the fact that, being in the open domain, they are constantly challenged by armies of crackers and cryptographers. Thus, the likelihood that they fall victim to shady groups is much lower. This is an aspect all designers of security-critical system should consider.