UVa Student Picks Apart Security Code

From Daily Progress.com:

A University of Virginia graduate student and two fellow hackers say they have cracked the encryption code that protects billions of credit cards, subway passes and security badges.

With readily available equipment that cost less than $1,000, 26-year-old Karsten Nohl and his two Germany-based partners dismantled a tiny chip that is found inside many “smartcards” and mapped out its secret security algorithm.

With the cryptographic formula in hand, the hackers were then able to run it through a computer program that tried out every possible key. It broke the encryption after a few hours. If they were to try again, Nohl said, it would take a matter of minutes.

“I don’t want to help attackers, but I want to inform people about the vulnerabilities of these cards,” said Nohl, a Ph.D. candidate in computer engineering at UVa who is originally from Germany.

So, why does this seem familiar? The article seems a touch confusing. Did he break crypto or simply RFID? The quote from the article “found that it was fairly easy to crack the RFID chip’s code, potentially allowing a tech-savvy miscreant to clone credit cards, ride the Metro for free, or easily steal cars.” seems to indicate that they merely attacked the RFID as opposed to some encryption. Does anyone have a link to Nohl’s presentation from CCC?

Article Link

[tags]RFID, Karsten Nohl[/tags]

Posted by Dave Lewis on February 28, 2008. Filed under Crypto,Wireless. You can follow any responses to this entry through the RSS 2.0. You can skip to the end and leave a response. Pinging is currently not allowed.