| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 01 Jan 2016 12:59:49 +0100 From: Ralf Spenneberg <info@...t.de> To: bugtraq@...urityfocus.com Subject: OSS-2016-02: Weak authentication in NXP Hitag S transponder allows an attacker to read, write and clone any tag OS-S Security Advisory 2016-02 Date: January 1st, 2016 Updated: January 1st, 2016 Authors: Oguzhan Cicek, Hendrik Schwartke, Ralf Spenneberg CVE: Not yet assigned CVSS: 6.2 (AV:L/AC:L/Au:S/C:C/I:C/A:N) Title: Weak authentication in NXP Hitag S transponder allows an attacker to read, write and clone any tag Severity: Critical. All applications relying only on the Hitag S security are broken. Ease of Exploitation: Trivial Vulnerability: Weak authentication using 48 bit key and 24 bit password Product: NXP Hitag S transponder Abstract The Hitag S transponder supports a crypto mode. In crypto mode the transponder requires a bilateral authentication before the transponder may be read or written. This authentication uses a 48 bit key and a 24 bit password. The underlying algorithm is not publicly documented. We determined that the Hitag S transponder uses the same crypto algorithm as the Hitag 2 which was published already in 2006 by Wiener [1]. The algorithm may be broken using a crypto-analytic attack published at Usenix 2012 [2] and using SAT-Solvers. The cryptoanalytic attack requires 150 sniffed authentication challenges between a valid reader and a corresponding transponder. The attack using SAT solver requires 2 such challenges because every authentication challenge provides only 40 bits encrypted data with known plaintext. To deduct the 48 bits of the used key more data is required. Using SAT solvers the key can usually be retrieved within 5 days. The Hitag S may read-protect the areas where the key and a password is stored. While the key may be broken and is thus known to the attacker the password send by the transponder during the authentication. Although the password is send encrypted the attacker may decrypt the password using the broken key. Impact The attacker may read and write all not-protected areas of the transponder. The applications using the transponder need to implement there own mechanisms to protect the integrity and confidentiality of the stored information. The attacker may emulate the transponder (using for example the proxmark 3) since the protocol and crypto algorithm is now known and the attacker has access to the full content of the transponder to be emulated. Vendor Contact The vendor NXP was first contacted July 17th 2015 using [info|security| abuse]@nxp.com. We did not receive any response. We contacted NXP a second time using psirt@....com on November 17th 2015. This time we received a response and communicated the vulnerability to the vendor. [1] https://web.archive.org/web/20120127012528/http://cryptolib.com/ciphers/hitag2 [2] https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/verdult -- OpenSource Security Ralf Spenneberg http://www.os-s.de Am Bahnhof 3-5 48565 Steinfurt Germany Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757
Powered by blists - more mailing lists