Backdoor Keys Are A Bad?Idea

Backdoor Keys Are A Bad?Idea

Today’s article is brought to you courtesy of Resonance Security . Normally I focus purely on software security, but today I’m casting an eye over the woeful state of security in software on dedicated hardware.

A recent paper released a week ago reveals that many of the latest incarnations of MIFARE Classic RFID tags contain a secret universal key that is now no longer so secret thanks to some clever reverse-engineering.?

But first?—?why should you care about MIFARE Classic chips?

The sad history of MIFARE?Classic

NXP is a Dutch company that designs, licenses, and manufactures NFC and RFID chips, and the MIFARE Classic is probably historically its most successful. The first version was released thirty years ago, in 1994.

These are chips that you can find used in all sorts of places for authorizing access and even payments: hotel key cards, office entry fobs, public transport travel cards, contactless payment cards, and so on. Unless you’ve lived in a cave in a forest for the last couple of decades, I can guarantee that at some point you have held something containing a MIFARE Classic chip in your hand.

I have had an interest in the MIFARE Classic chip for years, because they’re cheap and ubiquitous. And these days mobile phones come with NFC readers, and a bunch of free NFC apps, which means you can mess about with them without having to buy any expensive tools.

Lesson 1: Don’t roll your own cryptographic algorithms

NXP made their first rookie mistake, and one that we see time and time again: they invented their own encryption algorithm, which they called CRYPTO-1. The name isn’t the mistake: it’s having the hubris to believe that you, or your division of engineers, can come up with a secure encryption algorithm in isolation. In cryptography you simply don’t “roll your own” encryption algorithms.

There are cryptography experts out there who have dedicated their lives to examining and inventing encryption algorithms, and they it wrong more often than they get it right. But that doesn’t matter, because they pay attention to lesson 2.

Lesson 2: Don’t rely on security through obscurity

What’s more, NXP didn’t make CRYPTO-1 public. That was their second mistake, and it is known as relying on “security by obscurity”. Good cryptography involves making your work public to get as many qualified eyeballs looking for flaws in your algorithms, and the community takes years between examining an encryption algorithm, and grudgingly admitting that it might well be secure. For now.

And as expected, in 2008 a couple of researchers managed to reverse-engineer CRYPTO-1 , and quickly found all sorts of flaws in the algorithm that allow private keys to be recovered, and cards to be read or even edited in a matter of minutes. It wasn’t an easy job, as they had to scrape layers off the chip, examine it under a microscope, and write all sorts of image analysis programs to convert the silicon into code. But once they’d done that, cracking it was easy.

So they didn’t scrap?them?

Why are MIFARE Classic cards still being used? Even NXP recommends phasing them out !

The answer is, because the infrastructure is still there . All those hotel doors, office doors, and ticket machines would cost a lot to replace, not just with physical readers, but with software to update the systems.

As a result, manufacturers of unlicensed MIFARE Classic-compatible?… sorry, “comparable” cards have stepped in with cheap replacement chips featuring add-ons and improvements that are supposed to secure the unsecurable.

Backdoor keys

Now for a side-bar: what are backdoor keys?

A backdoor key is a secret key for a device that gives you access to the inner software of the device without having to go through the normal authentication process of a device.?

Note that this is different from shipping the device with default account and password that is supposed to be changed by the purchaser (but often isn’t). A backdoor key is usually built in to the hardware, for example, by being burned into permanent read-only memory (ROM), and is therefore almost always impossible to change.

Manufacturers sometimes like to put backdoor keys into their products, so that if there is a problem or design flaw, the key can be used to go in and fix it. Without some kind of administrator-level access, devices can get “bricked” through a bad update or simply because the user has forgotten or lost their login credentials. A backdoor is a quick and easy fix to that.

And governments like the idea of backdoor keys controlled by them so that in the event of a criminal investigation, counter-terrorist action, or sometimes the repression of dissidents, they have a tool that allows them access without costly, time-consuming, and potentially unsuccessful cyber forensics.

The problem with backdoors is that, once they are discovered, the system is compromised.

Comparable cards

I mentioned “comparable” cards a couple of sections back. One of the most successful producers of these knock-offs is the Chinese corporation Fudan, with their FM11RF08S chip. The ‘S’ at the end of that chip identifier stands for “secure”, and Fudan did indeed bolt on some functionality in an attempt to shore up the rickety edifice that is MIFARE Classic RFID chips for the 2020s.

In the paper mentioned at the beginning of this article, Philippe Teuwen from Quarkslab starts by introducing known flaws in legacy MIFARE Classic chips, then describes how Fudan has implemented something called “static encrypted nonces” to fix those flaws, and then after seven pages, reveals that in the process of hacking the new security measures, he found a backdoor key.

Apparently, all FM11RF08S implement a backdoor authentication command with a unique key for the entire production. And we broke it.

In fact, they found two universal backdoor keys?—?one for the new secured chip, and one for older Fudan chips. The backdoor keys allow anyone to read the encrypted content of the entire cards, often in less than a minute. And once the content is known, the card can be cloned.

As door locks often only read a fraction of the card’s memory to authenticate, and the scripts provided are unoptimized Python, it is quite feasible that a hacking tool could be written for a mobile phone that provides the ability to steal door opening credentials in a few seconds with brief access to the card. With a high gain narrow beam antenna, the attack could even be made from a distance of half a meter?—?the next table over from you at the hotel bar, for example.

Conclusion

So what is a guest who is handed a MIFARE Classic door key to do in the light of all of this?

My advice is to always use the door chain when you are sleeping in your room, and to keep all your valuables in the room safe, because that key card lock is not going to keep people out if they really want to get in.

And remember to wipe down the keypad of the safe with a wet-wipe after you’ve set your code, otherwise a brief dusting of talcum power can show which digits you’ve selected due to the oils on your fingertips being left behind. If you’ve picked four different digits, that gives the intruder only 24 possible combinations to try. If you’ve repeated a digit and spread more oil on the keypad so the repeated digit can be identified, then there are only 12. Note that most room safes allow three tries to get it right.

Oh, and if you have the opportunity, try to encourage security product manufacturers to get their encryption and security right.

Debbie Reynolds

The Data Diva | Data Privacy & Emerging Technologies Advisor | Technologist | Keynote Speaker | Helping Companies Make Data Privacy and Business Advantage | Advisor | Futurist | #1 Data Privacy Podcast Host | Polymath

2 个月

Keir Finlow-Bates brilliant.

Milka Zelic Mr sci

TV production specialist,Journalist, Multimedial communicationer

2 个月

Interesting

A very lucid write up Kier. History forgotten gets repeated - but even the remembered stuff ryhmes..

要查看或添加评论,请登录

社区洞察

其他会员也浏览了