Dutch chipmaker sues to silence security researchers

Dutch chipmaker NXP Semiconductors has sued a university in The Netherlands to block publication of research that details security flaws in NXP's Mifare Classic wireless smart cards, which are used in transit and building entry systems around the world.

NXP, formerly Philips Semiconductors, sued to prevent Radboud University Nijmegen from publishing a scientific paper on the technology in October. A hearing is scheduled for Thursday in the Dutch court, Rechtbank Arnhem.

"We feel the publication would not be responsible," NXP said in an e-mail statement when asked to comment for this article on Wednesday. "We cannot give further comments at this time, as it is in the hands of the court and the court has given a confidentiality order."

A court decision on the matter is expected next week, according to Karsten Nohl, a University of Virginia graduate student who worked with others to break the crypto algorithm last year and has been closely following the case.

The Dutch university's research builds upon Nohl's work. Nohl said he plans to publish his research in August and that NXP has not sued him to halt publication of his work.

"NXP spent most of this year defending the technology," Nohl told CNET News in a phone interview this week. "Only recently have they started admitting that the security is flawed, but they are still not ready for this to leak into the public domain."

"The only thing NXP would achieve if they win the lawsuit is prevent information from getting to other research groups that might very well be looking for solutions to this problem," Nohl said. Meanwhile, information on how to break the cryptography on the smart cards is already available to criminals who are willing to pay tens of thousands of dollars, he added.

A statement issued by the Dutch University in March says: "Because some cards can be cloned, it is in principle possible to access buildings and facilities with a stolen identity. This has been demonstrated on an actual system."

Dr. Bart Jacobs of Radboud University Nijmegen demonstrated last month how he could ride the London transit system for free. Once he obtained the key used by the London transit system, he then brushed up aside passengers carrying the Oyster transit cards and was able to collect their card information on his laptop and make a clone of it.

This YouTube video shows how it is done:

In addition to the transit system in The Netherlands, the technology is used in the subway systems in London, Hong Kong and Boston, as well as in cards for accessing buildings and facilities. The Mifare technology is used in more than 80 percent of the market, Nohl said.

The university defended its plans to publish the research in a statement released Monday in Dutch, saying it has a duty to research and publish data on security technology flaws so that they can be fixed.

[CmdrRickHunter]

There's a well known tradeoff between security and convenience. Methinks RFID is too low on security. Does such information REALLY need to be conversed in braodcasted radio waves?

[martinoei]

As a Hong Kong resident and IT columnist, I have to tell you that, Hong Kong transit is using Sony Felica system, not the Mifare. Please find the fact carefully before publishing the blog article.

[SeizeCTRL]

LOL there has been tons of stuff on mifare hacks floating around for quiet some time. What do they think they can do? It's already on the internet for those who feel the need to look.

Unless they have a time machine, there's nothing they can do now... the information is already out there.

[mbridge]

There should be set guidelines on handling situations like this - especially since they pop up quite often. The researchers should give the findings over to the provider, in this case NXP Semiconductor, with the expectation that they will fix the security flaw. In a short amount of time, say 3-6 months, the researchers should be permitted to publicize their findings. This gives NXP ample time to fix the issue. If they cannot fix the issue in that time then hopefully someone who receives the publication can find a fix for them... before too many free rides are taken on the subway.

The researchers have every right to publish their findings based on freedom of speech. Decency would however dictate that they give NXP a "reasonable" amount of time to fix the issues they've found.

http://www.MBridge.com

[securityservice]

Thank you for sharing useful information.For my thoughts on the First Amendment and speech that reveals security breaches, see my Crime-Facilitating Speech,though of course
the legal analysis would apply only to U.S. lawsuits.We want you to come up with more information so that will be useful to everyone.



http://www.hacker4lease.com/

[KevinJLam]

As a security researcher myself who has reported vulnerabilities to Microsoft (both as an employee there and now external to Microsoft) my experience has been that public disclosure like these are rarely a good thing. I know I am pissing a lot of peers off right now, but ask yourself this: "By disclosing this vulnerability to the public, have I reduced, heightened, or not affected the overall risk to this companies customers?". In 9 times out of 10 cases all you've done is increased the risk, even if you mask most of the details.

Why don't researchers release this information after the company has had time to address the issue and given them time to distribute the patch? Because by then the buzz is over and the marketing opportunity (yes, that's what I said) has passed. I blogged about this at http://blog.impactalabs.com/2008/10/29/security-awareness-called-out-finally-gimmicks/.

--Kevin
http://www.impactalabs.com
http://blog.impactalabs.com
http://www.buildingsecurecode.com

[derricpeterson]

At our <a href="http://www.customwritings.com">custom essay writing</a> service you can order custom written papers of high quality.