Dutch court allows publication of Mifare security hole research
Court rules that preventing violation of RFID chip security flaw research would violate freedom of expression for Dutch University.
Updated 8:30 a.m. PDT with researcher comment and photos. Updated 11:17 a.m. with NXP comment.
NEW YORK--A Dutch court ruled on Friday that a university can publish an article on security flaws in the Mifare Classic wireless smart card chip, the most popular chip used in transit systems around the world.
The Rechtbank Arnhem court ruled that prohibiting publishing of the article would violate the researcher's freedom of expression which is vital to a democratic society, according to a news release from the university.
The article will be published at the beginning of October during a scientific conference in Malaga in Spain. Jacobs demonstrated how one could ride the London transit system for free by making a clone of a stranger's transit card. The card is also used for access control to buildings.
Karsten Nohl, a University of Virginia graduate student who worked with others to break the crypto algorithm last year, was giving a talk about his research into security problems with Mifare chips at the Last HOPE hacker conference here on Friday morning.
"I don't think anyone truly believes you can prevent reverse engineering techniques from being published," Nohl said during his talk. Although the Digitial Millenium Copyright Act would apply in the U.S., universities are exempt, he said.
"I'm very happy that the court upheld the right to open research and freedom of publication," Nohl told CNET News after his talk. "I'm also happy that the court understood that publishing vulnerabilities is a crucial part of the evolution of security and a different court outcome would have slowed down that evolution of smart card security and left too many systems vulnerable."
Rop Gonggrijp, a Dutch security researcher attending the conference, said publishing information on vulnerabilities is often the only way to get the vendor to fix the problem. "Any other outcome would have changed the way science discloses security vulnerabilities," he said.
In a statement, NXP said publishing the means to carry out hacks on the chip "is contradictory to the scientific goal of prevention and the responsible disclosure of sensitive information."
"We have not and will not seek any kind of punitive action toward the university or researchers," Henri Ardevol, general manager of automatic fare collection for NXP, told CNET News on Friday. "Affected parties may want to see if they themselves want to take direct action" against the university.
Ardevol said it was too early to say whether NXP would appeal the ruling.
There are techniques and countermeasures to detect cards and data which have been tampered with, although there remains a residual risk, Ardevol said. (More information on the risks is on Mifare's Web site.)
"Migration to a different format is one option," he said. "We introduced Mifare Plus earlier this year, and it is designed to help migrate from Mifare Classic to a higher level of security...We will be developing plans for how to guide these migrations."
NXP has sold more than 1 billion of the cards, although it does not know how many are still active, according to Ardevol.