Dissertation: security analysis of contactless payment cards

Here’s an interesting academic document we found related to hardware hacking. In this published doctoral dissertation, Timo Kasper from the Ruhr-University Bochum, Germany, presents in detail his efforts in analyzing the security of Mifare smart cards. “The tools are first employed for analyzing a contactless payment application, which is based on Mifare Classic technology, with more than one million issued cards. This thesis illustrates an implementation for extracting the cryptographic keys of the cards in seconds and then, how to (wirelessly) modify the content of any card in the system. An unskilled adversary can in consequence produce virtual currency on her card (or others’ cards), without paying real money, and carry out payments with a fraudulently increased credit balance. The main flaw in this system is a fatal lack of key derivation, i.e., the same secret keys are used for all cards in the system.”

The 381-page PDF can be downloaded from Ruhr-Universität Bochum. (Page 42 reminds us of our own university days…)

Join the Conversation

1 Comment

Leave a comment

Leave a Reply to Tom P. Cancel reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.