Security researchers say they’ve found a way to crack the encryption used to protect a widely-used smartcard in a matter of minutes, making it possible for them to quickly and cheaply clone the cards that are used to secure office buildings and automate the collection of mass transportation fares.

The attack works against the Mifare Classic, a wireless card made by Netherlands-based NXP Semiconductors. It is used by transit operators in London, Boston and the Netherlands and by organizations in the public and private sectors to control access to sensitive areas, according to Karsten Nohl, a PhD candidate at the University of Virginia and one of the cryptographers who discovered the weakness. NXP says it’s sold 1 billion to 2 billion of the cards.

Schneier has a post on this. Here is the research paper that describes this flaw.

Thanks to Jakob Peter for sending me this paper!