RFID chipmaker loses suit, says users must take 'urgent' action
Dutch court rules that university can publish research findings on RFID encryption flaws
Computerworld - A Dutch court has given university researchers the OK to publish their research about security flaws in the radio frequency identification (RFID) chips used in up to 2 billion smart cards. The cards are used to open doors in corporate and government buildings and to board public transportation systems.
Court Arnhem in the Netherlands late last week denied a request by NXP Semiconductors to keep researchers at Radboud University Nijmegen from publishing a paper about reported security flaws in its MiFare Classic RFID chip.
The paper is slated to be presented at the ESORICS security conference in Malaga, Spain, in October.
In a statement e-mailed to Computerworld today, Henri Ardevol, a general manager at NXP, warned that systems integrators and operators of infrastructures using the MiFare Classic cards should "urgently review their systems."
"NXP's objective, as the manufacturer of MiFare Classic chips, is to transparently update all systems integrators and operators of infrastructures which use MiFare Classic in a timely manner so that they can take the appropriate measures to upgrade the security of their systems," wrote Ardevol. "Different installations have different security requirements. However, it is not conceivable that they all will have their security upgraded to the necessary level in a period of months until this paper is published; these upgrades will take up to a number of years."
He added that the company will work with customers and partners to improve their systems.
For its part, the university celebrated the court's decision.
"The judge has ruled that publishing this scientific article falls under the principle of freedom of expression and that in a democratic society, it is of great importance that the results of scientific research can be published," the university said in a statement posted on its Web site. "In the opinion of the university, the evidence-based results of this research must find their way into the public sphere in order to achieve societal significance."
Neither NXP nor the university responded to interview requests before deadline.
In the statement, the university said that its researchers had previously notified both the Dutch government and NXP about the results of the research. The school also pointed out that it had "deliberately withheld further details" about flaws in the chip's security so the company would have time to address the problems.
Karsten Nohl, a graduate student who was part of a research group that originally broke the smart card's encryption last year, told Computerworld in a previous interview that he gave his research to the Dutch university so it could build on what he had done, and he has been closely following its progress.
"I think it's crucial that it's published in an academic conference where researchers can work on solutions," said Nohl.
Nohl said the problem lies in what he calls weak encryption in the MiFare Classic card. In March, he said that once he had broken the encryption, he would need only a laptop, a scanner and a few minutes to get the cryptographic key to an RFID door lock and create a duplicate card to open it at will.
Since the MiFare Classic smart cards use a radio chip, Nohl said he easily can scan them for information. If someone came out of a building carrying a smart-card door key, he could walk past them with a laptop and scanner in a backpack or bag and skim data from their card. He also could walk past the door and scan for data captured to the reader.
Nohl said that once he had captured information from a smart card and/or the card reader on the door, he would have enough information to find the cryptographic key and duplicate a smart card with the necessary encryption information to open the door. He said the whole process would take him less than two minutes.
Ken van Wyk, principal consultant at KRvW Associates LLC, said in an earlier interview that one European country had deployed soldiers to guard some government facilities that used the MiFare Classic chip in their door key smart cards.
"Deploying guards to facilities like that is not done lightly," he said. "They recognize that they have a huge exposure. Deploying guards is expensive. They're not doing it because it's fun. They're safeguarding their systems." Van Wyk declined to identify the European country under discussion.
Read more about Mobile Apps in Computerworld's Mobile Apps Topic Center.
- Mission Critical: Managing Mobile Applications & Content Smartphones, tablets and other mobile devices have become embedded in enterprise processes, thanks to the consumerization of IT and a new generation of...
- Use the Mobile App Mix to Choose an Enterprise App Store Strategy In this research report Gartner outlines how organizations can optimally secure, distribute, and manage mobile applications for employees and contracted workers.
- The Case for Mobile Apps Today's mobile apps turn handheld devices into e-book readers, portable navigation systems, digital wallets and more. And for organizations with mobile workers, they...
- 5 Customers Deliver Virtual Desktops and Apps to Empower a Modern Workforce Learn how Citrix solutions helped 5 companies realize the full value of desktop virtualization through a project-by-project approach based on key business priorities.
- What Does it Take to Deliver a Superior Customer Experience? The Two Top-Rated Online Retailers, B&H Photo and Crutchfield Electronics, Share Their Secrets Discuss practical CX tools and service methods such as contact center agents and the use of realtime speech analytics to help contact center...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Mobile Apps White Papers | Webcasts