Security code easy hacking for UVa student

A University of Virginia graduate student and two fellow hackers say they have cracked the encryption code that protects billions of credit cards, subway passes and security badges.

With readily available equipment that cost less than $1,000, 26-year-old Karsten Nohl and his two Germany-based partners dismantled a tiny chip that is found inside many “smartcards” and mapped out its secret security algorithm.

With the cryptographic formula in hand, the hackers were then able to run it through a computer program that tried out every possible key. It broke the encryption after a few hours. If they were to try again, Nohl said, it would take a matter of minutes.

“I don’t want to help attackers, but I want to inform people about the vulnerabilities of these cards,” said Nohl, a Ph.D. candidate in computer engineering at UVa who is originally from Germany.

The wireless chips - which employ technology known as radio-frequency identification, or RFID - are found inside most modern credit cards, car keys, security keycards and subway passes. The chips send an encoded numeric signal to the reading device, which allows the user to simply wave their card to gain access to secure buildings, remotely unlock a car, pay for public transportation and much more.

Yet Nohl and his colleagues - Henryk Plötz and an anonymous hacker known only as Starbug - found that it was fairly easy to crack the RFID chip’s code, potentially allowing a tech-savvy miscreant to clone credit cards, ride the Metro for free, or easily steal cars.

The three computer whizzes announced their findings at the Chaos Communications Congress in Berlin, an annual worldwide convention of hackers. They are not releasing the details of how they beat the chip’s security code. But, Nohl added, if they could defeat the code, it is possible that criminals might also have done so.

The popular chip that the trio “dissected” is called the Mifare Classic RFID chip and is manufactured by NXP Semiconductors, a Netherlands-based company formerly affiliated with the electronics firm Philips. - dailyprogress