Security Breach: Enhanced Attacks Bypass MIFARE Classic Encryption

In July 2024, cybersecurity experts uncovered a new vulnerability in the MIFARE Classic contactless card technology, which is widely used in transportation systems, access control, and other critical areas. This technology has long attracted the attention of both researchers and malicious actors, but recent discoveries suggest that the vulnerability may be more severe than previously thought.

Researchers from the French company Quarkslab conducted a detailed analysis of the Crypto-1 encryption algorithm, which is employed in MIFARE Classic cards to protect data. Developed in the 1990s, this algorithm has been considered obsolete for several years, yet it remains in widespread use. New attack methods, such as enhanced brute force techniques and side-channel attacks, now allow attackers to bypass security and clone cards with much greater ease.

Specifically, the experts found that an attack on one of the weak points of the Crypto-1 algorithm enables the rapid calculation of the encryption key, granting attackers access to all data stored on the card. With specialized equipment and software tools, such as Proxmark3, attackers can clone a card in just a few minutes.

This situation is of grave concern to organizations that rely on MIFARE Classic cards for security. These include major city transportation systems, universities, commercial enterprises, and even government institutions.

Experts strongly recommend that all users of this technology urgently consider transitioning to more modern solutions, such as MIFARE DESFire, which utilizes more robust encryption algorithms like AES (Advanced Encryption Standard).

Furthermore, specialists point out that the issue affects not only access control systems but also other domains where MIFARE Classic cards are used, such as payment systems, identification, and monitoring. Companies relying on outdated cards may face significant financial and reputational risks if their systems are compromised.

In response, many companies and organizations have begun urgent reviews of their security systems. Some have already started a phased upgrade of their infrastructure, which, while requiring substantial investment, will ultimately help avert more serious issues.

Researchers also emphasize that the use of outdated technologies in critical security systems is unacceptable in the modern era, where cyber threats are becoming increasingly sophisticated. To ensure security and prevent potential attacks, it is essential to adopt modern technologies capable of providing a high level of data protection.