Chip maker sues to quash research on RFID smart card security flaws

Sharon Gaudin   Today’s Top Stories   or  Other Spam, Malware and Vulnerabilities Stories  

Extending Client Refresh - 11 Steps to Maximize Savings Lower the Cost and Complexity of a Mobile Workforce through Automation Managing Mobility: Improve Data Security, Compliance and Manageability Southern Company Defending Against the Storm Share our Strength 8 Questions To Ask About Your Intrusion-Security Solution Computerworld Technology Briefings IT Service Management Computerworld Briefing - Analytics: The Art and Science of Better Sign up to receive Resource Alerts

July 10, 2008 (Computerworld) -- A semiconductor company is suing a Dutch university to keep its researchers from publishing information about security flaws in the RFID chips used in up to 2 billion smart cards.

The cards are used to open doors in corporate and government buildings and to board public transportation systems.

NXP Semiconductors filed suit in Court Arnhem in The Netherlands against Radboud University Nijmegen. The company is pushing the courts to keep university researchers from publishing a paper about reported security flaws in the MiFare Classic, an RFID chip manufactured by NXP Semiconductors.

The paper is slated to be presented at the Esorics security conference in Malaga, Spain, this October, according to Karsten Nohl, a graduate student who was part of a research group that originally broke the encryption last year. Nohl told Computerworld on Thursday that he gave his research to the Dutch university so it could build on what he had done, and he has been closely following its progress.

"I think it's crucial that it's published in an academic conference where researchers can work on solutions," said Nohl. "I don't think there's any good outcome for NXP. Say they were to win. They'd be keeping information away from the academics who might come up with solutions."

NXP declined to be interviewed for this story but said in an e-mailed statement, "We cannot give further comments at this time, as it is in the hands of the court and the court has given a confidentiality order."

Representatives from the university did not respond before deadline.

Call out the military

Nohl said the problem lies in what he calls weak encryption in the MiFare Classic smart card. In March, he said that once he had broken the encryption, he would need only a laptop, a scanner and a few minutes to get the cryptographic key to an RFID door lock and create a duplicate card to open it at will.

Since the MiFare Classic smart cards use a radio chip, Nohl said he easily can scan them for information. If someone came out of a building carrying a smart card door key, he could walk past them with a laptop and scanner in a backpack or bag and skim data from their card. He also could walk past the door and scan for data captured to the reader.

Once he's captured information from a smart card and/or the card reader on the door, he would have enough information to find the cryptographic key and duplicate a smart card with the necessary encryption information to open the door. He said the whole process would take him less than two minutes.

And that, according to Ken van Wyk, principal consultant at KRvW Associates, is a big security problem.

Continued...
1 | 2 | NEXT  

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

The 5 best, worst features of Chrome OS iPhone owners demand to see Apple source code Mike Elgan: Four things you need to know about Apple More top stories...

Open-source virtualization: Who's biting? Some Nook e-readers won't make it for the holidays New H-1B hiring bill takes aim at tech firms

See your link here

Editors' Picks Windows 7 tricks: 20 top tips and tweaks Getting to know Windows 7? Don't stop now: From speeding up taskbar thumbnails to reining in UAC, here are 20 ways to make Windows 7 act the way you want. Review: Taking the Droid on the road Is Motorola's new Droid good enough to vanquish iPhone envy? To find out, we took it on a 3-day trip. Opinion: Linux desktop turns 10; world yawns Sure, you could always use Linux as a desktop OS, but Corel Linux 1.0 was the first distro designed for ordinary users. It's been a long, strange trip since then. Review: 3 Windows 7 touch-screen laptops New touch-screen laptops from Fujitsu, HP and Lenovo take advantage of Microsoft Windows 7's touch-friendly infrastructure. » See more hot topics hot topics Windows 7 Get the latest news, reviews and more about Microsoft's newest desktop operating system. Apple Microsoft Google iPhone Mac A to Z » See more hot topics special report topics View the top-rated IT workplaces. General Mills, Genentech, San Diego Gas & Electric, University of Pennsylvania and Monsanto top the list. More Special Reports 2008 Best Places to Work in IT 2007 Best Places to Work in IT 2008 Salary Survey 2007 Salary Survey 2006 Salary Survey 2009 Premier 100 IT Leaders 2008 Premier 100 IT Leaders 2007 Premier 100 IT Leaders 2008 IT Forecast 2007 IT Forecast 40 Years of Computerworld Top Green-IT 2009 Top Green-IT 2008 The FAQs About Going Green IT Schools to Watch iPhone: One Year Later Global Mobile Your Next Data Center Management: Reinventing IT Stop Data Leaks Web 2.0 Security Surviving Disasters Managing Storage Virtualization The Lean Storage Machine Storage on Trial Can Web 2.0 Save BI? Bypass These BI Potholes All Zones The SAS Zone Software Resource Center Mobile Security Disaster Recovery & Cost Savings Strategic Content Management Business Analytics Zone

• The 5 best, worst features of Chrome OS
• Open-source virtualization: Who's biting?
• iPhone owners demand to see Apple source code
• More top stories