Karsten Nohl
Former Graduate Student
Computer Science Department
University of Virginia

Contact Information

E-mail:
PGP: 0ECC 358C 2595 1058 7861 4400 7DE2 766E 787C 2265
S/MIME: Certificate, CA

About me

CV, Research Statement

I've been a graduate student at the University of Virginia from 2005 to 2008. At the moment, I live and work in Berlin. My PhD thesis proposes techniques for realizing Implementable Privacy for RFID Systems. My current research focuses on cryptography for small devices and touches on microchip security, privacy protection, and the economics of information. My advisor is David Evans.

GSM Security

Following our previous research of disclosing vulnerabilities in widely deployed systems, we are currently investigating several aspects of the GSM cell phone standard. The first major stream of this research computes a rainbow tables code book to decrypt A5/1.

Project web site with technical background: A5/1 Security Project
Presentation at the 26C3: Video, Slides

Some news articles covering our GSM research:

Aug 26th USA Today: Researcher sets out to hack mobiles, including iPhone, Gphone
Aug 28th The Tech Herald: GSM Alliance downplays seriousness of GSM project
Aug 31st Financial Times: Snooping risk as hackers target mobile code
Dec 3rd IEEE Spectrum: Open-Source Effort to Hack GSM
Dec 29th New York Times: Cellphone Encryption Code Is Divulged
Dec 29th The Register: Secret code protecting cellphone calls set loose
Dec 29th The Tech Herald: GSM cracking project moves forward
Jan 1st The Times of India: Code that safeguards mobile calls cracked
Jan 1st cnet: Q&A: Researcher Karsten Nohl on mobile eavesdropping
Jan 3rd Ethiopian Review: German computer scientist breaks mobile phone codes
Jan 7th Reuters: Cellular group says mobile calls safe from hackers

Publications


Ongoing Hardware Security Research

We are continuing to reverse-engineer and pen-test embedded security functions. The current state of three of our projects was presented at 26th Chaos Communications Congress (26C3) in Berlin.

Dec 27th '09: 26C3 Talk: GSM: SRSLY?
|-- Reactions: see above.
Dec 28th '09: 26C3 Talk: Legic Prime: Obscurity in Depth
|-- Summary at Heise
|-- Example for the far-reaching impact of the insecurities at German airports
Dec 29th '09: 26C3 Talk: DECT Security
|-- Summary at Heise
|-- Positive reaction form the DECT Forum

The GSM project and two other projects were previously presented at the Hacking at Random (HAR) conference:

Aug 15th '09: HAR Talk: Cracking A5 GSM Encryption
Aug 15th '09: HAR Talk: Breaking Hitag2
Aug 15th '09: HAR Talk: Deep Silicon Analysis

Starbug and I illustrated the state of reverse engineering smart cards (also summarized by Heise) in a talk at 25th Chaos Communications Congress:

Dec 28th '08: 25C3 Talk: Hardware Reverse Engineering
Our research blog has periodic updates on other projects of the security research group at UVa.

TI EVM Firmware

We strongly believe that security systems generally get compromised at some point. In the case of smart card installations, a compromise typically mandates the entire reader infrastructure and all cards to be replaced. This excessive cost of security breaches is avoidable when the reader infrastructure can be upgraded to implement countermeasures and support new cards.

Towards a multi-standard fully-upgradable RFID reader, we implemented Mifare Classic support in the Texas Instruments TRF7960 RFID Evaluation Module. This module provides a sound base for countermeasures including card fingerprinting, and appears to be a good upgrade platform from Mifare Classic to cards with stronger encryption. Further development on this platform is coordinated through this mailing list

Download: The firmware and GUI from TI, and our patches for firmware and GUI to add Mifare Classic support.

This software includes a patch for the EVM stock firmware (TRF7960_Parallel_SPI_Firmware_Ver3-2_EXP.zip), which is available through the RFID-TRF7960/61 extranet. Contact TI to get access.

Mifare Security

Henryk Plötz and Starbug from the CCC Berlin and I announced the break of the crypto algorithm in Mifare Classic RFID smartcards at the 24C3 congress in December 2007. The Mifare Classic card is used in many micro-payment application including the Oyster card, the CharlieCard, and the OV-Chipkaart.

To address concerns about the security of the Dutch OV-Chipkaart, we have issued this press release:

Jan 8th '08: Lost Mifare obscurity raises concerns over security of OV-Chipkaart (PDF).

In response to our work, the research agency TNO assessed the security of the OV-chipkaart system and found our claims to be accurate in a report issued Feb 29th. We welcome the report's call for the currently used cards to be replaced with more secure cards, but question the estimate that an attack will not happen within two years.

To help further understand the security of Mifare Classic-based systems, we assess the strength of the underlying cryptographic cipher and find that secret keys can be recovered within minutes on a typical PC:

Mar 10th '08: Cryptanalysis of Crypto-1 (PDF).

NXP, the manufacturer of the Mifare cards, announced an improved version that addresses all recent points of critique: it's build around standard cryptography and even provides some level of privacy protection.

Mar 10th '08: NXP introduces Mifare Plus.

The smart-card group at Royal Holloway, University of London released a third (and final) assessment of OV-Chipkaart's security for the Dutch government. The assessment confirms our analysis and recommends operators of Mifare Classic-based systems to migrate to more secure cards with publicly scrutinized cryptography:

Apr 15th '08: Royal Holloway: Security assessment of Mifare Classic in public transport.

Through further analysis of Crypto-1, we found the cipher to be highly vulnerable to algebraic attacks. Our most efficient attack takes only seconds on a PC, can operate on passively sniffed data from meters away, and works despite strong random numbers in Mifare Plus. The results were first announced at EuroCrypt 2008's rump session.

Apr 15th '08: Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards.

Our technique of hardware reverse-engineering used to recover the Mifare Crypto-1 cipher will be presented at Usenix Security:

May 14th '08: Reverse-Engineering a Cryptographic RFID Tag.

Steve Ragan at The Tech Harald covers our story in great detail and with extensive technical expertise in a series of articles:

Mar 4th '08University students in Virginia crack smartcard chips
Mar 12th '08U.VA. researchers crack smartcard chips . Mifare Classic security proven weak
Mar 12th '08Did NXP finally acknowledge security problems in their Mifare chip?
Mar 14th '08Interview: Karsten Nohl - Mifare Classic researcher speaks up
Apr 15th '08Replacement suggested for NXP chips used in OV-Chipkaart
Apr 16th '08More trouble for the MiFare chips


Some news articles covering the story include:

Jan 21st '08Schneier: Dutch RFID Transit Card Hacked
Feb 26th '08UVa Today: Group Demonstrates Security Hole in World's Most Popular Smartcard
Feb 28th '08Daily Progress: Security code easy hacking for UVa student
Feb 29th '08WCAV TV: UVa Grad Student Cracks Smart Card Security Code (with video)
Feb 29th '08WSLS.com: UVA grad, 2 other hackers claim they cracked credit cards and security badges codes
These articles are derivatives of the stories run by the Associated Press and the Media General News Service:
|-- Mar 1st '08Daily Press: U.Va. student, hackers crack credit card security code
|-- Mar 1st '08WVEC-TV: UVA student hackers say they've cracked smartcard encryption
|-- Mar 1st '08WVIR NBC-29: UVA Student, Hackers Crack Credit Card Security Code
|-- Mar 2nd '08Washington Times: Student decodes security devices
|-- Mar 2nd '08WAVY-TV: UVA Student, Hackers Crack Credit Card Security Code
|-- Mar 2nd '08Culpeper Star Exponent: Smartcard encryption code hacked
Mar 5th '08Sc Magazine: Hackers claim RFID smart-card hack, but chip vendor disagrees
Mar 6th '08Boston Gobe: T card has security flaw, says researcher (with video)
Mar 6th '08Boston Herald: CharlieCard is far from hack-proof
Mar 6th '08WCVB ABC-5 Teh Boston Channel: Problem Surfaces With CharlieCard Security
Mar 7th '08PC World: Hackers Find a Way to Crack Popular Smartcard in Minutes
Mar 7th '08Computerworld UK: Questions raised about Oyster card security
Mar 7th '08PC World Australia: RFID encryption flawed in smart cards, researchers claim
Mar 9th '08Richmond Times-Dispatch:
U.Va. student claims to have cracked smartcard encryption
Mar 10th '08Computerworld NZ: Hackers find a way to crack popular smartcard in minutes
Mar 10th '08Infrasite News (Netherlands): Security hole in world's most popular smartcard
Mar 12th '08The Register: Microscope-wielding boffins crack Tube smartcard
Mar 12th '08PC World: RFID-Hack Hits 1 Billion Digital Access Cards Worldwide
Mar 13th '08Contactless News (FL): Hacked smart card chips? Alliance says no
Mar 13th '08TechRadar.com (UK): Is your Oyster card safe from hackers?
Mar 14th '08Computerworld: RFID hack could crack open 2 billion smart cards
Mar 14th '08RFID Journal: NXP Announces New, More Secure Chip for Transport, Access Cards
Mar 14th '08Windows IT Pro: Countless RFID Cards At Risk
Mar 14th '08Schneier: London Tube Smartcard Cracked
Mar 18th '08Computerworld UK: 'Soldiers deployed' following RFID hack
Mar 19th '08Computerworld: How they hacked it: The MiFare RFID crack explained
Mar 19th '08CIO Today: Student Claims to Have Cracked Smartcard Encryption
Mar 21st '08The Chronicle of Higher Education:
Computer-Science Researchers Expose Security Vulnerability of Some Electronic Key-Cards
Mar 23rd '08Tamil Star (Sri Lanka!): RFID-Hack Hits 1 Billion Digital Access Cards Worldwide
Mar 26th '08SecureIDNews: Interview with Mifare hacker Karsten Nohl (Podcast)
Apr 1st '08EETimes: NXP RFID encryption cracked
Apr 11th '08Brisbane Times (Australia): Go cards 'doomed' over security
Apr 15th '08Computerworld: MiFare RFID crack more extensive than previously thought
Apr 16th '08Brisbane Times (Australia): New report slams go card security
Apr 16th '08The Register: Dutch transit card crippled by multihacks
Apr 21st '08Heise: Is the MiFare Classic RFID system blown?
May 12th '08The Green Sheet: Fraud busting, electronic style

Please note that we have not compromised the security of credit cards as some of the articles suggest. As far as we can tell, RFID-enabled credit cards have no security (yet?), and hence there is nothing to compromise.

Further clarifications on our smartcard work have been posted to our research blog.

Google has a video of our talk at 24C3 (slides):