A German news report stating that physical access control systems at some airports were compromised may have been overstated, according to sicherheit.info. The system, however, is vulnerable to attacks, similar to the original Mifare hack in 2008.
New reports suggest that journalists did not actually gain access to restricted airport areas, as originally reported. Instead they talked about how it may be possible to gain access to the areas. Also, EU regulations state that airports must have multi-factor security in place and it takes more than a badge to gain access to airside areas.
In December the Chaos Computer Club announced a vulnerability with the Legic Prime contactless system and that system was in used at some German airports. Legic began offering a more advanced and secure contactless solution called Legic advant in 2003.
Chaos Computer Cub member Karsten Nohl stated that cracking the older Prime technology was not much of an issue. However tapping into Prime communications requires some specialized equipment, including a Proxmark3 type RFID test device, an oscilloscope and a mathematical logic analysis method. Simulating a card also demands more software, a special emulator and IT knowledge.
Since the attack was released Legic’s has been telling users to add another factor of security, such as PIN video monitoring or biometrics, to the system. The company also states that many airports have already begun the migration to the advant system. “Prime uses a fixed encryption method which reflects the technical capabilities of contactless transponder technologies at the time the product was launched in 1992,” says Klaus U. Klosa, Legic Identsystems Ltd’s CEO. “Such methods are based on keeping the algorithms which are used secret. Currently popular methods are based on open algorithms and secret keys. Compared with current methods, older methods are scrutinized more intensively.”
Hagen Zumpe, editor-in-chief of PROTECTOR, says there is a need to put things into context: “I’m surprised that the Prime technology, which came onto the market in 1992, is still used in many high-security applications. For over five years now, Legic has been supplying its successor technology, Legic advant, which is secure up to AES levels which is currently state of the art.”
Updating the system at the Hamburg airport would require replacing 15,000 cards.
The attack is reminiscent of the ’08 announcement by Nohl and others that the security of the original Mifare contactless technology was compromised. Similarly, the technology was still widely used though newer more secure versions had been released to the market years before.