A Dutch court has given university researchers the OK to publish their research about security flaws in the radio frequency identification (RFID) chips used in up to 2 billion smart cards. The cards are used to open doors in corporate and government buildings and to board public transportation systems.
Court Arnhem in the Netherlands late last week denied a request by NXP Semiconductors to keep researchers at Radboud University Nijmegen from publishing a paper about reported security flaws in its MiFare Classic RFID chip.
The paper is slated to be presented at the ESORICS security conference in Malaga, Spain, in October.
In a statement e-mailed to Computerworld today, Henri Ardevol, a general manager at NXP, warned that systems integrators and operators of infrastructures using the MiFare Classic cards should "urgently review their systems."
"NXP's objective, as the manufacturer of MiFare Classic chips, is to transparently update all systems integrators and operators of infrastructures which use MiFare Classic in a timely manner so that they can take the appropriate measures to upgrade the security of their systems," wrote Ardevol. "Different installations have different security requirements. However, it is not conceivable that they all will have their security upgraded to the necessary level in a period of months until this paper is published; these upgrades will take up to a number of years."
He added that the company will work with customers and partners to improve their systems.
For its part, the university celebrated the court's decision.
"The judge has ruled that publishing this scientific article falls under the principle of freedom of expression and that in a democratic society, it is of great importance that the results of scientific research can be published," the university said in a statement posted on its Web site. "In the opinion of the university, the evidence-based results of this research must find their way into the public sphere in order to achieve societal significance."
Neither NXP nor the university responded to interview requests before deadline.
In the statement, the university said that its researchers had previously notified both the Dutch government and NXP about the results of the research. The school also pointed out that it had "deliberately withheld further details" about flaws in the chip's security so the company would have time to address the problems.
Karsten Nohl, a graduate student who was part of a research group that originally broke the smart card's encryption last year, told Computerworld in a previous interview that he gave his research to the Dutch university so it could build on what he had done, and he has been closely following its progress.
"I think it's crucial that it's published in an academic conference where researchers can work on solutions," said Nohl.
Nohl said the problem lies in what he calls weak encryption in the MiFare Classic card. In March, he said that once he had broken the encryption, he would need only a laptop, a scanner and a few minutes to get the cryptographic key to an RFID door lock and create a duplicate card to open it at will.
Since the MiFare Classic smart cards use a radio chip, Nohl said he easily can scan them for information. If someone came out of a building carrying a smart-card door key, he could walk past them with a laptop and scanner in a backpack or bag and skim data from their card. He also could walk past the door and scan for data captured to the reader.
Nohl said that once he had captured information from a smart card and/or the card reader on the door, he would have enough information to find the cryptographic key and duplicate a smart card with the necessary encryption information to open the door. He said the whole process would take him less than two minutes.
Ken van Wyk, principal consultant at KRvW Associates LLC, said in an earlier interview that one European country had deployed soldiers to guard some government facilities that used the MiFare Classic chip in their door key smart cards.
"Deploying guards to facilities like that is not done lightly," he said. "They recognize that they have a huge exposure. Deploying guards is expensive. They're not doing it because it's fun. They're safeguarding their systems." Van Wyk declined to identify the European country under discussion.