University researcher may publish their findings on NXP Mifare chip

By EDRi · July 30, 2008

On 18 July 2008, the Dutch Court in Nijmegen dismissed the initial claim in
its preliminary ruling in the case of Chip maker NXP against the publication
by the University of Nijmegen of the security problems regarding Mifare
Classic Chip, dismissing the initial claim.

NXP had asked the judge to order the University of Nijmegen to stop the
publication of its research results on the way to crack the security of
cards using the NXP chip, arguing that the publication would allow law
infringers to easily break into security systems and to fraudulently use the
public transportation. In NXP’s opinion, the publication would cause
considerable damage and security risks for NXP and users all over the world.

The Rechtbank Arnhem court decided that prohibiting the publication of the
University article would violate the researcher’s freedom of expression
covered by article 10 of the European Convention of Human Rights.
Restrictions in such matters are applicable only in order to protect a
pressing social need which has to be convincingly demonstrated.

The judge’s opinion was that Radboud University Nijmegen had acted with due
care and that the publication of the results of scientific research and the
information of the public about the serious deficits of the chip serves
great interests and helps in taking measures against the risks of the
security leak of the respective chip. The potential damage that NXP claims
is not a result of the publication of the research results but of the
production of a chip that has shown deficiencies, which is the
responsibility of NXP itself.

“I don’t think anyone truly believes you can prevent reverse engineering
techniques from being published,” said Karsten Nohl who worked at breaking
the algorithm of the chip last year at the Last HOPE hacker conference on 18
July. “I’m very happy that the court upheld the right to open research and
freedom of publication. (…) I’m also happy that the court understood that
publishing vulnerabilities is a crucial part of the evolution of security
and a different court outcome would have slowed down that evolution of smart
card security and left too many systems vulnerable” he said to CNET News.

NXP was disappointed at the ruling saying that the changing of the system
will not be easy for all users of the system; for some the amendment will
take months but for others it is going to take years.

Henri Ardevol, general manager of automatic fare collection for NXP, stated:
“Migration to a different format is one option. (…) We introduced Mifare
Plus earlier this year, and it is designed to help migrate from Mifare
Classic to a higher level of security…We will be developing plans for how
to guide these migrations.” He also said it was too early to say whether NXP
would appeal the ruling.

The article will be published at the beginning of October 2008 during a
scientific conference in Malaga, Spain.

Dutch Scientists Can’t Be Blamed for Deficient Mifare Chip (18.07.2008)
http://www.jorisvanhoboken.nl/?p=183

Dutch court allows publication of Mifare security hole research (18.07.2008)
http://news.cnet.com/8301-1009_3-9994120-83.html

Oyster hack will be published, rules Dutch court (22.07.2008)
http://www.out-law.com/page-9279

Radboud University Nijmegen Press release – Security Flaw in Mifare Classic
(18.07.2008)
http://www.ru.nl/english/general/radboud_university/vm/press_release_july/

EDRIgram – Dutch University sued to stop publishing research on chip
technology (16.07.2008)
http://www.edri.org/edrigram/number6.14/dutch-university-chip