CASPER
New member
NXP loses injunction bid – Oyster card hack to be disclosed
A Dutch court has ruled on an injunction that would have stopped a university group from reporting publicly on its research. The injunction came from NXP, creator of the popular Mifare Classic, and sought to stop researchers from Radboud University in Nijmegen from publishing a paper in October that would explain the details on how they successfully cloned an Oyster card and used it.
The judge in the case issued a ruling that was expected by many in the research community. In part, the judge has ruled that publishing the scientific article falls under the principle of freedom of expression, and that -- in a democratic society -- it is of great importance that the results of scientific research can be published.
In its ruling, the court said: “Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings.”
However, according to the Reuters news agency, Christophe Duverne, a senior vice president at NXP, said it would take months or even years for some users of the chip to adapt their systems, and that the publication was thus different from software hacks for which manufacturers can issue a patch much more quickly.
“What we are doing is defending our customers,” Duverne said. “We don't mind them publishing the effects of what they have discovered to inform society, I think this is absolutely fine, but disclosing things in detail including the algorithm... is not going to benefit society, it will create damage to society.”
Karsten Nohl, who The Tech Herald recently spoke to about this case, had this to say about Duverne’s comments:
“I don't necessarily disagree that upgrading might take years in some case. I do disagree, though, that keeping the information away from researchers could possibly help the security of systems as the information will leak no-matter-what; too many people are working on Mifare now and the information cannot be contained any longer.”
"This requires a balancing of interests," the court stated in a press release on the injunction case. "It should be considered that the publication of scientific studies carries a lot of weight in a democratic society, as does informing society about serious issues in the chip, because it allows for mitigating of the risks."
How it all started:
In March of 2008, researchers at Radboud University Nijmegen, led by Professor Bart Jacobs, demonstrated that the Mifare Classic Chip was flawed. This, in itself, was not Earth shattering, as NXP had been dealing with security issues on the Mifare Classic since 2007. However, the new research raised larger concerns, as the researchers did what no one else did; they cloned a card using Mifare Classic and used it.
As the researchers put it, they were, "driven by a sense of social responsibility," to report their findings to the Dutch Government as well as NXP. The full research was sent to NXP in June so that NXP could ask for a legal opinion. At the beginning of July, NXP decided to take out an injunction against Professor Jacobs and Radboud University Nijmegen in order to prevent publication of the scientific article.
Again, what's interesting about the Dutch research, and what made it a semi-interesting news story, is that the Dutch researchers cloned the Oyster card. Moreover, the researchers then used the cloned card for a few days. The research efforts were proving that NXP’s security is indeed flawed, like the research Karsten Nohl and his partners performed, but they took it a step further and performed a physical example.
NXP’s stance was that releasing the full details of the research, as the university planned to do this October, was irresponsible. After the ruling NXP issued a statement, but would not comment on the record for The Tech Herald.
“NXP Semiconductors regrets the decision of the court to allow the publication by Radboud University Nijmegen, which includes attacks on MIFARE Classic infrastructures and is intended to be published in October 2008,” the company said in its statement.
“Based on today’s decision affected parties such as system integrators and operators of infrastructures using MIFARE Classic cards may want to urgently review their systems and may address their interests with the University of Nijmegen, in relation with the aforementioned intended publication,” NXP said.
“Different installations have different security requirements, however it is not conceivable that they all will have their security upgraded to the necessary level in a period of months until this paper is published; these upgrades will take up to a number of years.”
However, NXP has had since 2007, by its own admission, to help with the security upgrades, and platform or infrastructure changes.
“NXP has had half a year now to inform about the lack of security in their product, but instead they have used the best part of that to dismiss our research, dismiss the Dutch group’s research, and to claim that everything is purely theoretical,” said Karsten Nohl in a recent interview with TTH. “So had they not kept up the disinformation that [the Mifare could actually be secure] nobody would have paid attention to the Dutch group actually hacking the Oyster card.”
The problem is that NXP still wants to live by the rule of security through obscurity, something which simply does not work. It is an argument that has been going on for almost a decade now.
So the researchers have the green light to go public, and plan to do so this October. One thing that was missing in the NXP statement was mention of Mifare Plus, the successor to the Mifare Classic. This new offering will fix the crypto problems of the Classic chip, yet it is never mentioned in any comments or statements offered surrounding the Radboud research.
“Mifare Plus is a really good card, with the option of emulating the bad old card,” commented Nohl. “If it’s used properly that is, emulate the old card for just a couple weeks, and then as soon as you upgraded the entire infrastructure, switch over to the strong encryption, then this card would be very secure. The problem with the Mifare Plus is that there is no Mifare Plus that you can buy today.”
A Dutch court has ruled on an injunction that would have stopped a university group from reporting publicly on its research. The injunction came from NXP, creator of the popular Mifare Classic, and sought to stop researchers from Radboud University in Nijmegen from publishing a paper in October that would explain the details on how they successfully cloned an Oyster card and used it.
The judge in the case issued a ruling that was expected by many in the research community. In part, the judge has ruled that publishing the scientific article falls under the principle of freedom of expression, and that -- in a democratic society -- it is of great importance that the results of scientific research can be published.
In its ruling, the court said: “Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings.”
However, according to the Reuters news agency, Christophe Duverne, a senior vice president at NXP, said it would take months or even years for some users of the chip to adapt their systems, and that the publication was thus different from software hacks for which manufacturers can issue a patch much more quickly.
“What we are doing is defending our customers,” Duverne said. “We don't mind them publishing the effects of what they have discovered to inform society, I think this is absolutely fine, but disclosing things in detail including the algorithm... is not going to benefit society, it will create damage to society.”
Karsten Nohl, who The Tech Herald recently spoke to about this case, had this to say about Duverne’s comments:
“I don't necessarily disagree that upgrading might take years in some case. I do disagree, though, that keeping the information away from researchers could possibly help the security of systems as the information will leak no-matter-what; too many people are working on Mifare now and the information cannot be contained any longer.”
"This requires a balancing of interests," the court stated in a press release on the injunction case. "It should be considered that the publication of scientific studies carries a lot of weight in a democratic society, as does informing society about serious issues in the chip, because it allows for mitigating of the risks."
How it all started:
In March of 2008, researchers at Radboud University Nijmegen, led by Professor Bart Jacobs, demonstrated that the Mifare Classic Chip was flawed. This, in itself, was not Earth shattering, as NXP had been dealing with security issues on the Mifare Classic since 2007. However, the new research raised larger concerns, as the researchers did what no one else did; they cloned a card using Mifare Classic and used it.
As the researchers put it, they were, "driven by a sense of social responsibility," to report their findings to the Dutch Government as well as NXP. The full research was sent to NXP in June so that NXP could ask for a legal opinion. At the beginning of July, NXP decided to take out an injunction against Professor Jacobs and Radboud University Nijmegen in order to prevent publication of the scientific article.
Again, what's interesting about the Dutch research, and what made it a semi-interesting news story, is that the Dutch researchers cloned the Oyster card. Moreover, the researchers then used the cloned card for a few days. The research efforts were proving that NXP’s security is indeed flawed, like the research Karsten Nohl and his partners performed, but they took it a step further and performed a physical example.
NXP’s stance was that releasing the full details of the research, as the university planned to do this October, was irresponsible. After the ruling NXP issued a statement, but would not comment on the record for The Tech Herald.
“NXP Semiconductors regrets the decision of the court to allow the publication by Radboud University Nijmegen, which includes attacks on MIFARE Classic infrastructures and is intended to be published in October 2008,” the company said in its statement.
“Based on today’s decision affected parties such as system integrators and operators of infrastructures using MIFARE Classic cards may want to urgently review their systems and may address their interests with the University of Nijmegen, in relation with the aforementioned intended publication,” NXP said.
“Different installations have different security requirements, however it is not conceivable that they all will have their security upgraded to the necessary level in a period of months until this paper is published; these upgrades will take up to a number of years.”
However, NXP has had since 2007, by its own admission, to help with the security upgrades, and platform or infrastructure changes.
“NXP has had half a year now to inform about the lack of security in their product, but instead they have used the best part of that to dismiss our research, dismiss the Dutch group’s research, and to claim that everything is purely theoretical,” said Karsten Nohl in a recent interview with TTH. “So had they not kept up the disinformation that [the Mifare could actually be secure] nobody would have paid attention to the Dutch group actually hacking the Oyster card.”
The problem is that NXP still wants to live by the rule of security through obscurity, something which simply does not work. It is an argument that has been going on for almost a decade now.
So the researchers have the green light to go public, and plan to do so this October. One thing that was missing in the NXP statement was mention of Mifare Plus, the successor to the Mifare Classic. This new offering will fix the crypto problems of the Classic chip, yet it is never mentioned in any comments or statements offered surrounding the Radboud research.
“Mifare Plus is a really good card, with the option of emulating the bad old card,” commented Nohl. “If it’s used properly that is, emulate the old card for just a couple weeks, and then as soon as you upgraded the entire infrastructure, switch over to the strong encryption, then this card would be very secure. The problem with the Mifare Plus is that there is no Mifare Plus that you can buy today.”