Recent questioning of RFID security, particularly related to the chips used in transport schemes such as the Oyster card used on the London Underground, is beginning to gain momentum.
This week, a cryptography conference in Istanbul heard more revelations over how quickly the encryption key can be recovered on a MiFare Classic Card.
The story has been extensively reported in some of the trade press in the US, notably Computerworld, and in this RFID security blog. There is more background here on this University of Virginia site.
Is this an issue yet? I still err towards the view that many organisations and individuals want to to find an RFID security weakness, and are trying very hard searching for one. There aren't too many real world RFID applications being used 'in anger', and transport systems such as Oyster, like other transport systems around the world supposedly based on MiFare cards - though the detail has yet to be established - are high profile enough to be a target for 'research' into how secure the structures behind them actually are. That is not a bad thing - after all it happens in most other systems - but it's way too early to start labelling RFID as 'insecure'.
I think it is better to describe these cases as "transport systems with an element of RFID in them, whose security components are under question", rather than say, "there are question marks about RFID security." There is a marked difference. That is not to say, however, that further research may not generate future security concerns.
Technorati tags: RFID security MiFare Oyster cryptographic cipher EuroCrypt transport
