Dutch University sued to stop publishing research on chip technology
(Dieser Artikel ist auch in deutscher Sprache verfügbar)
Dutch chipmaker NXP Semiconductors has sued the Dutch Computer Security
Group of Radboud University in Nijmege in order to stop the publication of
research results showing security flaws in NXP’s Mifare Classic wireless
smart cards used in transit and building entry systems around the world.
The technology is used for the transit system in The Netherlands, in the
subway systems in London, Hong Kong and Boston, as well as in cards for
accessing buildings and facilities, covering 80 percent of the market.
The security researchers of the Dutch university have checked the Mifare
system used with Oyster cards for transport in London and recently succeeded
in cracking the encryption on a card and clone it. They added credit to it
and moved freely around London’s Underground network.
According to Dr. Bart Jacobs, professor of computer security at the
university, by using a computer and an RFID reader, in just a few seconds,
the Oyster card’s encryption can be cracked. “We need to eavesdrop on the
communication between a card and a card reader. From that communication we
can deduce secret cryptographic keys that are used to protect the contents
of the card. Once we have the keys we ‘own’ the card and can manipulate it
as we like” said Jacobs.
The University issued a statement in March this year saying: “Because some
cards can be cloned, it is in principle possible to access buildings and
facilities with a stolen identity. This has been demonstrated on an actual
system.” Jacobs demonstrated how the London transit system can be used for
free. He obtained the key used by the London transit system then he passed
by passengers carrying Oyster cards and was able to collect their card
information on his laptop and make a clone of it. The scientist has given
NXP the opportunity to fix the security problems waiting with the
publication and presentation of the results for some time but as NXP did not
solve the issue decided to go on with the university plans of publishing the
research.
The Dutch university’s research builds upon Karsten Nohl’s work, a graduate
student of the University of Virginia, and expert on the security for NXP.
“NXP has had half a year now to inform about the lack of security in their
product, but instead they have used the best part of that to dismiss our
research, dismiss the Dutch group’s research, and to claim that everything
is purely theoretical. So, if anything, NXP has invoked this type of public
demonstration, since they have often claimed that ‘yes in theory it may be
insecure but in practice it isn’t’. So had they not kept up the
disinformation that (the Mifare could actually be secure) nobody would have
paid attention to the Dutch group actually hacking the Oyster card” stated
Nohl.
The Computer Security Group publication comes during a long and heated
public debate in the Dutch parliament and the media on the merits of large
scale computer systems, their quality and security standards and the
government’s capacity to manage these kind of projects. The publication of
the University research may be essential for this debate.
The Dutch court decision is expected on 17 July 2008.
Censoring Dutch Academia: Computer Security Scholars taken to Court
(8.07.2008)
http://www.jorisvanhoboken.nl/?p=173
Dutch chipmaker sues to silence security researchers (9.07.2008)
http://news.cnet.com/8301-10784_3-9985886-7.html?hhTest=1
Has London’s Oyster travelcard system been cracked? (26.06.2008)
http://www.guardian.co.uk/technology/2008/jun/26/hitechcrime.oystercards
Cryptoanalysis of Crypto-1
http://www.cs.virginia.edu/~kn5f/pdf/Mifare.Cryptanalysis.pdf
Security Flaw in Mifare Classic – press release Digital Security group,
Radboud University Nijmegen (12.03.2008)
http://www.ru.nl/english/general/radboud_university/vm/security_flaw_in/
London transit cards cracked and cloned (26.06.2008)
http://news.cnet.com/8301-10789_3-9978486-57.html?hhTest=1
NXP sues academic research team – what are they afraid of? (10.07.2008)
http://www.thetechherald.com/article.php/200828/1463/