Academic Centre of Excellence in Cyber Security

Flavio Garcia – On the (in)security of Widely-used RFID Access Control Systems

ABSTRACT: Over the last few years much attention has been paid to the (in)security
of the cryptographic mechanisms used in RFID and contactless smart
cards. Experience has shown that the secrecy of proprietary ciphers does
not contribute to their cryptographic strength. Most notably the Mifare
Classic, which has widespread application in public transport ticketing
(e.g. Oyster) and access control systems, has been thoroughly broken in
the last few years. Other prominent examples include KeeLoq and Hitag2
used in car keys and CryptoRF used in access control and payment systems.

This talk summarizes our own contribution to this field. We will
briefly show some of the weaknesses we found in the Mifare classic. Then
we will show that the security of its higher-end competitors like
Atmel’s CryptoRF and HID’s iClass–which were proposed as secure
successors of the Mifare Classic–is not (significantly) higher. We will
also cover security issues of the Hitag2 key fob to conclude with a
discussion on responsible disclosure principles.