• On MovieTome: Megan Fox on TRANSFORMERS 2!
advertisementElectronics & Computers Deals here!
July 9, 2008 1:17 PM PDT

Dutch chipmaker sues to silence security researchers

Posted by Elinor Mills
lawsuits

Dutch chipmaker NXP Semiconductors has sued a university in The Netherlands to block publication of research that details security flaws in NXP's Mifare Classic wireless smart cards, which are used in transit and building entry systems around the world.

NXP, formerly Philips Semiconductors, sued to prevent Radboud University Nijmegen from publishing a scientific paper on the technology in October. A hearing is scheduled for Thursday in the Dutch court, Rechtbank Arnhem.

"We feel the publication would not be responsible," NXP said in an e-mail statement when asked to comment for this article on Wednesday. "We cannot give further comments at this time, as it is in the hands of the court and the court has given a confidentiality order."

A court decision on the matter is expected next week, according to Karsten Nohl, a University of Virginia graduate student who worked with others to break the crypto algorithm last year and has been closely following the case.

The Dutch university's research builds upon Nohl's work. Nohl said he plans to publish his research in August and that NXP has not sued him to halt publication of his work.

"NXP spent most of this year defending the technology," Nohl told CNET News in a phone interview this week. "Only recently have they started admitting that the security is flawed, but they are still not ready for this to leak into the public domain."

"The only thing NXP would achieve if they win the lawsuit is prevent information from getting to other research groups that might very well be looking for solutions to this problem," Nohl said. Meanwhile, information on how to break the cryptography on the smart cards is already available to criminals who are willing to pay tens of thousands of dollars, he added.

A statement issued by the Dutch University in March says: "Because some cards can be cloned, it is in principle possible to access buildings and facilities with a stolen identity. This has been demonstrated on an actual system."

Dr. Bart Jacobs of Radboud University Nijmegen demonstrated last month how he could ride the London transit system for free. Once he obtained the key used by the London transit system, he then brushed up aside passengers carrying the Oyster transit cards and was able to collect their card information on his laptop and make a clone of it.

This YouTube video shows how it is done:

In addition to the transit system in The Netherlands, the technology is used in the subway systems in London, Hong Kong and Boston, as well as in cards for accessing buildings and facilities. The Mifare technology is used in more than 80 percent of the market, Nohl said.

The university defended its plans to publish the research in a statement released Monday in Dutch, saying it has a duty to research and publish data on security technology flaws so that they can be fixed.

Topics:

Security,

Processors

Tags:

security,

smart cards

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from News Blog
Supreme Court ignores EchoStar appeal against TiVo suit
EA Mobile, Eidos Interactive sign agreement
Sprint first to offer HTC Touch Pro
Flipping out: RIM BlackBerry Pearl Flip 8220 debuts
Sprint HTC Touch Diamond outed early
Add a Comment (Log in or register) 4 comments
by CmdrRickHunter July 9, 2008 2:01 PM PDT
There's a well known tradeoff between security and convenience. Methinks RFID is too low on security. Does such information REALLY need to be conversed in braodcasted radio waves?
Reply to this comment
by martinoei July 9, 2008 5:12 PM PDT
As a Hong Kong resident and IT columnist, I have to tell you that, Hong Kong transit is using Sony Felica system, not the Mifare. Please find the fact carefully before publishing the blog article.
Reply to this comment
by SeizeCTRL July 9, 2008 6:22 PM PDT
LOL there has been tons of stuff on mifare hacks floating around for quiet some time. What do they think they can do? It's already on the internet for those who feel the need to look.

Unless they have a time machine, there's nothing they can do now... the information is already out there.
Reply to this comment
by mbridge July 28, 2008 9:53 PM PDT
There should be set guidelines on handling situations like this - especially since they pop up quite often. The researchers should give the findings over to the provider, in this case NXP Semiconductor, with the expectation that they will fix the security flaw. In a short amount of time, say 3-6 months, the researchers should be permitted to publicize their findings. This gives NXP ample time to fix the issue. If they cannot fix the issue in that time then hopefully someone who receives the publication can find a fix for them... before too many free rides are taken on the subway.

The researchers have every right to publish their findings based on freedom of speech. Decency would however dictate that they give NXP a "reasonable" amount of time to fix the issues they've found.

http://www.MBridge.com
Reply to this comment
Powered by Jive Software
advertisement

About News Blog

Recent posts on technology, trends, and more.

Add this feed to your online news reader

News Blog topics

Featured blogs

advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Best hybrid cars
Cell phones
Dell
GPS
CNET sites
CNET TV
Downloads
News
Reviews
Shopper.com
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET