top | item 41269551

(no title)

Possibly so. It just means that based on the report's findings, even if you'd decided to play it safe and buy exclusively from NXP directly (the creators of this ecosystem and owners of the MIFARE trademark), it looks like you could still end up with backdoored hardware.

discuss

jeffbee|1 year ago

Sorry if I was being unclear with my compound snark, but using a MIFARE Classic of any provenance would be a firing offense for the CISO of my daydream company.

dave_universetf|1 year ago

Indeed. Alas (or fortunately depending which colour team you work on), fully broken Mifare Classic is still all over the place, and likewise the "hardened" variant broken in this paper :(

nine_k|1 year ago

What's a good alternative? How more expensive is it?

RockRobotRock|1 year ago

NXP would probably want to steer you away from mifare classic in the first place, wouldn't they?

baby_souffle|1 year ago

Maybe for greenfield deployment… but there’s all the existing infrastructure to support.

I still see classic being installed for door/gate systems in American apartments that are under active construction in 2024. Presumably that’s because resellers either don’t know better or they just have a massive inventory.