MUNICH, Germany The Chaos Computer Club (Hamburg, Germany) has cracked the encryption scheme of NXPs popular Mifare Classic RFID chip. The device is used in many contactless smartcard applications including fare collection, loyalty cards or access control cards. NXP downplays the significance of the hack.
According to a report in Sueddeutsche Zeitung, Chaos Computer Club (CCC) experts along with colleagues from the University of Virginia cracked the encoding scheme with little effort. The achievement allows the crackers to read out data, recharge payment cards, copy RFID cards or generate "new" users.
The Mifare Classic family is sold in large volumes. Its memory sports a capacity of 1 to 4 kByte, explained a spokesperson in NXPs Austrian RFID competence center. Since it is in the market since the mid-nineties, the proprietary 48-bit encoding scheme is not necessarily up to today's requirements. Nevertheless, NXP sees no necessity to modify the encryption.
The spokesperson pointed out that the company also offers other RFID chips with higher security up to Triple DES or AES. "We will inform our customers about the incident", the spokesperson said. But it is the decision of the system integrator or customer if he will continue to rely on the Mifare Classic. "There are certainly applications for which the Classic can be used. We have not plans to withdraw the product from the market."
The spokesperson also pointed out that the Mifare Classic is not used in security-critical applications such as passports or electronic health cards.
The Chaos Computer Club was not available for comment.