LONDON — A Dutch philanthropic foundation, NLnet, has given Euros 150,000 ($230,0000) to fund a project that will devise open-source smart card software that offers stronger protection of personal data in light of security vulnerabilities found with cards used today.
The project, expected to last two years, will be coordinated at the Radboud University in Nijmegen, Netherlands, and the code developed will be published for peer review, an open-source development model that can offer a stronger security model than undocumented, proprietary systems that dominate the smart-card market.
The project follows several instances of security vulnerabilities found in the most popular smartcards used for a variety of contactless applications, including the Mifare Classic chip from NXP Semiconductors (Eindhoven, the Netherlands).
Earlier this year, the researchers cloned the new Dutch Mifare travel card. As a result, the introduction of a Euros 1 billion transport payment system in the Netherlands has had to be postponed.
They also managed to clone a swipe access card to a public building in the Netherlands. According to some reports, the Dutch government immediately posted armed guards outside all its buildings and now plans to spend millions of euros upgrading its system.
And reports surfaced last week that the same team was able to crack and clone an Oyster card used by millions of Londoners through the scheme run by Transport for London in the U.K.
A spokesman for NXP told Times OnLine : "We are aware that the Dutch researchers have reverse engineered the algorithm and we are taking this issue very seriously. We' have informed all of our system integrators and advised them to closely assess their systems. We are talking to the guys at Radboud University and have identified various counter measures."
Last month , Heikki Huomo, general manager of the NFC sector at NXP, told EE Times Europe in an interview that the chip group is about to introduce Mifare Plus, an addition to the company's existing platforms for mobile integration that it has been offering for a decade.
The latest version will be targeted at automatic fare collection and access management applications that require relatively high security elements, and sits at about halfway between four existing offerings (Ultra Lite, Classic, DesFire and SMX).
The Classic, Plus and DesFire versions will also be offered as embedded secure elements in about 18 to 24 months. "We need time to develop these as they mean modifications at chip level, changes to the operating system and Common Criteria certification," said Huomo.
According to Michiel Leenaars, strategy director at the NLnet foundation, "With the failure of that first generation of smart cards for public transport in the Netherlands and elsewhere a huge disinvestment is looming. That cost or even the delay is just not acceptable for societies that depend heavily on this critical infrastructure".
The research at Radboud University Nijmegen will be carried out within the Digital Security Group, headed by Professor Bart Jacobs and Dr. Wouter Teepe.
The group has already revealed on numerous occasions other weaknesses in smart cards. For instance, the researchers figured out how the Mifare Classic's encryption algorithm worked, allowing them to obtain the 48-bit encryption keys the cards used.
The researchers plan to ascertain whether the proposed privacy techniques are actually suitable for an efficient, robust and secure implementation of smart cards --usable in other classes of systems such as mobile phones or pocket computers.
Related Articles:
Mobile NFC moves closer to the money
NFC Phones: Next Hacker Target
NXP tops list of vendors for NFC, contactless ICs
NXP RFID encryption cracked
'Tube' to trial mobile phone based payment scheme
