(Dieser Artikel ist auch in deutscher Sprache verfügbar)
Dutch chipmaker NXP Semiconductors has sued the Dutch Computer Security Group of Radboud University in Nijmege in order to stop the publication of research results showing security flaws in NXP's Mifare Classic wireless smart cards used in transit and building entry systems around the world.
The technology is used for the transit system in The Netherlands, in the subway systems in London, Hong Kong and Boston, as well as in cards for accessing buildings and facilities, covering 80 percent of the market.
The security researchers of the Dutch university have checked the Mifare system used with Oyster cards for transport in London and recently succeeded in cracking the encryption on a card and clone it. They added credit to it and moved freely around London's Underground network.
According to Dr. Bart Jacobs, professor of computer security at the university, by using a computer and an RFID reader, in just a few seconds, the Oyster card's encryption can be cracked. "We need to eavesdrop on the communication between a card and a card reader. From that communication we can deduce secret cryptographic keys that are used to protect the contents of the card. Once we have the keys we 'own' the card and can manipulate it as we like" said Jacobs.
The University issued a statement in March this year saying: "Because some cards can be cloned, it is in principle possible to access buildings and facilities with a stolen identity. This has been demonstrated on an actual system." Jacobs demonstrated how the London transit system can be used for free. He obtained the key used by the London transit system then he passed by passengers carrying Oyster cards and was able to collect their card information on his laptop and make a clone of it. The scientist has given NXP the opportunity to fix the security problems waiting with the publication and presentation of the results for some time but as NXP did not solve the issue decided to go on with the university plans of publishing the research.
The Dutch university's research builds upon Karsten Nohl's work, a graduate student of the University of Virginia, and expert on the security for NXP. "NXP has had half a year now to inform about the lack of security in their product, but instead they have used the best part of that to dismiss our research, dismiss the Dutch group's research, and to claim that everything is purely theoretical. So, if anything, NXP has invoked this type of public demonstration, since they have often claimed that 'yes in theory it may be insecure but in practice it isn't'. So had they not kept up the disinformation that (the Mifare could actually be secure) nobody would have paid attention to the Dutch group actually hacking the Oyster card" stated Nohl.
The Computer Security Group publication comes during a long and heated public debate in the Dutch parliament and the media on the merits of large scale computer systems, their quality and security standards and the government's capacity to manage these kind of projects. The publication of the University research may be essential for this debate.
The Dutch court decision is expected on 17 July 2008.
Censoring Dutch Academia: Computer Security Scholars taken to Court
(8.07.2008)
http://www.jorisvanhoboken.nl/?p=173
Dutch chipmaker sues to silence security researchers (9.07.2008)
http://news.cnet.com/8301-10784_3-9985886-7.html?hhTest=1
Has London's Oyster travelcard system been cracked? (26.06.2008)
http://www.guardian.co.uk/technology/2008/jun/26/hitechcrime.oystercar...
Cryptoanalysis of Crypto-1
http://www.cs.virginia.edu/~kn5f/pdf/Mifare.Cryptanalysis.pdf
Security Flaw in Mifare Classic - press release Digital Security group,
Radboud University Nijmegen (12.03.2008)
http://www.ru.nl/english/general/radboud_university/vm/security_flaw_i...
London transit cards cracked and cloned (26.06.2008)
http://news.cnet.com/8301-10789_3-9978486-57.html?hhTest=1
NXP sues academic research team - what are they afraid of? (10.07.2008)
http://www.thetechherald.com/article.php/200828/1463/