RFID chipmaker loses suit, says users must take 'urgent' action
Dutch court rules that university can publish research findings on RFID encryption flaws
Computerworld - A Dutch court has given university researchers the OK to publish their research about security flaws in the radio frequency identification (RFID) chips used in up to 2 billion smart cards. The cards are used to open doors in corporate and government buildings and to board public transportation systems.
Court Arnhem in the Netherlands late last week denied a request by NXP Semiconductors to keep researchers at Radboud University Nijmegen from publishing a paper about reported security flaws in its MiFare Classic RFID chip.
The paper is slated to be presented at the ESORICS security conference in Malaga, Spain, in October.
In a statement e-mailed to Computerworld today, Henri Ardevol, a general manager at NXP, warned that systems integrators and operators of infrastructures using the MiFare Classic cards should "urgently review their systems."
"NXP's objective, as the manufacturer of MiFare Classic chips, is to transparently update all systems integrators and operators of infrastructures which use MiFare Classic in a timely manner so that they can take the appropriate measures to upgrade the security of their systems," wrote Ardevol. "Different installations have different security requirements. However, it is not conceivable that they all will have their security upgraded to the necessary level in a period of months until this paper is published; these upgrades will take up to a number of years."
He added that the company will work with customers and partners to improve their systems.
For its part, the university celebrated the court's decision.
"The judge has ruled that publishing this scientific article falls under the principle of freedom of expression and that in a democratic society, it is of great importance that the results of scientific research can be published," the university said in a statement posted on its Web site. "In the opinion of the university, the evidence-based results of this research must find their way into the public sphere in order to achieve societal significance."
Neither NXP nor the university responded to interview requests before deadline.
In the statement, the university said that its researchers had previously notified both the Dutch government and NXP about the results of the research. The school also pointed out that it had "deliberately withheld further details" about flaws in the chip's security so the company would have time to address the problems.
Karsten Nohl, a graduate student who was part of a research group that originally broke the smart card's encryption last year, told Computerworld in a previous interview that he gave his research to the Dutch university so it could build on what he had done, and he has been closely following its progress.
"I think it's crucial that it's published in an academic conference where researchers can work on solutions," said Nohl.
Nohl said the problem lies in what he calls weak encryption in the MiFare Classic card. In March, he said that once he had broken the encryption, he would need only a laptop, a scanner and a few minutes to get the cryptographic key to an RFID door lock and create a duplicate card to open it at will.
Since the MiFare Classic smart cards use a radio chip, Nohl said he easily can scan them for information. If someone came out of a building carrying a smart-card door key, he could walk past them with a laptop and scanner in a backpack or bag and skim data from their card. He also could walk past the door and scan for data captured to the reader.
Nohl said that once he had captured information from a smart card and/or the card reader on the door, he would have enough information to find the cryptographic key and duplicate a smart card with the necessary encryption information to open the door. He said the whole process would take him less than two minutes.
Ken van Wyk, principal consultant at KRvW Associates LLC, said in an earlier interview that one European country had deployed soldiers to guard some government facilities that used the MiFare Classic chip in their door key smart cards.
"Deploying guards to facilities like that is not done lightly," he said. "They recognize that they have a huge exposure. Deploying guards is expensive. They're not doing it because it's fun. They're safeguarding their systems." Van Wyk declined to identify the European country under discussion.
Read more about Mobile Apps in Computerworld's Mobile Apps Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Performance Management: The Mobile App Development Playbook This comprehensive 16 page Forrester Research, Inc. report, authored by Jeffrey Hammond, Forrester VP and Principal Analyst, details a number of valuable, commonly...
- New Problems Require Innovative Solutions The mobile market is expected to be worth $25 billion by 2015
- Getting Agnostic about Mobile Devices The idea of being able to interact with customers, prospects, and stay attuned to competitive pressures is not new, but the velocity at...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Mobile Apps White Papers | Webcasts