Abstract

Abstract: Over the last few years much attention has been paid to the (in)security of the cryptographic mechanisms used in RFID and contactless smart cards. Experience has shown that the secrecy of proprietary ciphers does not contribute to their cryptographic strength. Most notably the Mifare Classic, which has widespread application in public transport ticketing (e.g. Oyster) and access control systems, has been thoroughly broken in the last few years. Other prominent examples include KeeLoq and Hitag2 used in car keys and CryptoRF used in access control and payment systems.

This talk summarizes our own contribution to this field. We will briefly show some of the weaknesses we found in the Mifare classic. Then we will show that the security of its higher-end competitors like Atmel’s CryptoRF and HID ’s iClass – which were proposed as secure successors of the Mifare Classic – is not (significantly) higher. We will also cover security issues of the Hitag2 key fob to conclude with a discussion on responsible disclosure principles.

Bio: Garcia is a faculty member in the Birmingham’s Security and Privacy Group, and is currently employed as a “Birmingham Fellow”. His work focuses on the design and evaluation of cryptographic primitives and protocols for small embedded devices like RFID and smart cards. His research achievements include breakthroughs such as the discovery of vulnerabilities in Mifare Classic, iClass, CryptoMemory and HiTag2. The first of these, Mifare Classic, was widely used for electronic payment (e.g. London Underground) and access control (e.g. Amsterdam Airport). Garcia showed that the cryptography in the card was fatally flawed. HiTag2, the most widely used key fob used in car keys was also found to be insecure.

Garcia’s work has been widely recognised as world leading including “Best Paper” awards from the leading IEEE Security & Privacy and Usenix Woot conferences and the 2008 I/O Award from the Dutch research council for the best paper bringing computer science research to the attention of the general public. Garcia joined the security group at the University of Birmingham in February 2013.