"A University of Virginia graduate student and two fellow hackers say they have cracked the encryption code that protects billions of credit cards, subway passes and security badges.

With readily available equipment that cost less than $1,000, 26-year-old Karsten Nohl and his two Germany-based partners dismantled a tiny chip that is found inside many “smartcards” and mapped out its secret security algorithm.

With the cryptographic formula in hand, the hackers were then able to run it through a computer program that tried out every possible key. It broke the encryption after a few hours. If they were to try again, Nohl said, it would take a matter of minutes.

“I don’t want to help attackers, but I want to inform people about the vulnerabilities of these cards,” said Nohl, a Ph.D. candidate in computer engineering at UVa who is originally from Germany.

The wireless chips - which employ technology known as radio-frequency identification, or RFID - are found inside most modern credit cards, car keys, security keycards and subway passes. The chips send an encoded numeric signal to the reading device, which allows the user to simply wave their card to gain access to secure buildings, remotely unlock a car, pay for public transportation and much more.

Yet Nohl and his colleagues - Henryk Plötz and an anonymous hacker known only as Starbug - found that it was fairly easy to crack the RFID chip’s code, potentially allowing a tech-savvy miscreant to clone credit cards, ride the Metro for free, or easily steal cars.

The three computer whizzes announced their findings at the Chaos Communications Congress in Berlin, an annual worldwide convention of hackers. They are not releasing the details of how they beat the chip’s security code. But, Nohl added, if they could defeat the code, it is possible that criminals might also have done so.

The popular chip that the trio “dissected” is called the Mifare Classic RFID chip and is manufactured by NXP Semiconductors, a Netherlands-based company formerly affiliated with the electronics firm Philips.

Manuel Albers, director of regional marketing for North and South America for NXP, disputed that Nohl and his compatriots breached the chip’s security, as they obtained only a portion of the cryptographic algorithm. In fact, he said, the company’s chips have multiple layers of security and are not in danger of being totally compromised.

The company has been in contact with Nohl and his team and is reviewing their findings, Albers said.

“We constantly improve and review our products to make sure it’s up to snuff with the latest security threats,” he said.

Moreover, Albers said, NXP manufacturers chips with a range of security levels, ranging from zero to substantial protection. The chip examined by Nohl was a relatively simple version with little security, he said.

Projects such as hacking the security code of a RFID chip is the “evil twin” of Nohl’s regular research, he said, which focuses on the development of cryptographic algorithms for computer security. Nohl’s faculty advisor, David Evans, an associate professor in UVa’s School of Engineering and Applied Science, said in a statement that exposing security flaws through hacking helps ensure that future products are more secure.

“Analyzing systems and understanding how to break them gives you a lot of insight into how to build better systems,” he said.

Hacking, Nohl said, refers to the practice of investigating the internal processes of computing technology. It is often mistaken for “cracking,” he said, which means to break into computer processes for fun, vandalism or profit.

Nohl said that a more secure option for RFID security codes would be to rely on publicly known and time-tested security algorithms. NXP’s secret code, he said, is an example of “security by obscurity,” or the practice of keeping the code private and hoping hackers do not figure it out. Private algorithms, Nohl said, are more likely to have flaws and vulnerabilities.

“We found significant vulnerabilities in their algorithm,” he said. “By keeping it secret, they hurt themselves in the end.”" (Brian McNeill, The Daily Progress, February 28, 2008)