London Transport's Oyster Card system was hacked earlier this summer by Dutch researchers who managed to turn a laptop into a mobile card lab to score a day's worth of free rides. Now, a Dutch court has ruled that Radboud University Nijmegen can publish details of the attack later this year, despite protests from the chipmaker involved.
The prevalence of the smartcards, made by Philips spinoff NXP, created huge concerns; the cards are widely used around the world for both public transit (London, Hong Kong, etc.) and building security (the Dutch government), and are common in some government access control schemes. The fact that researchers were able to grab the key wirelessly from a London Transport card reader, then grab card information from passers-by that could be used to generate a counterfeit smartcard, came as something of a shock, but at least it wasn't clear precisely how this was done.
The researchers want to publish details of their work, though, as most researchers do, and they found themselves in court with NXP Semiconductors over the issue. The court cleared the researchers to publish in October 2008, a decision that NXP calls "contradictory to the scientific goal of prevention and the responsible disclosure of sensitive information."
Radbourd won its case in an Arnhem court, and the school is already touting the achievement. The decision to publish the exploit details "falls under the principle of freedom of expression," says the school. "In a democratic society it is of great importance that the results of scientific research can be published.
University researchers found problems with the Mifare Classic chip back in March, and by June were already producing huge headlines in the UK after the London Transport test. NXP, wasting no time, filed for an injunction against the research team in early July. According to the school, though, no injunction was warranted, as it has acted with due care for legitimate security concerns.
"Driven by a sense of social responsibility," said the school in a statement today, "the University immediately and confidentially informed the Dutch Government as well as the manufacturer (NXP) of the results of the independent research on the Mifare Classic Chip. Since March, the researchers have deliberately withheld further details of the imperfections of the chip in order to give those involved, including NXP, the opportunity to take the necessary steps. Publication of the scientific article was anticipated in October 2008 and in June the article was sent confidentially to NXP so that NXP could ask for a legal opinion."
The details are now set to be revealed at an October security conference in Malaga.
For its part, NXP says it is always open to hearing about security problems and wants to work with researchers to improve its products. Still, it "regrets" the current decision because many of NXP's clients won't be able to update their systems by October.
---------------------------
Again, damn right....
No comments:
Post a Comment