LONDON A court in Arnhem, the Netherlands, has denied a request from NXP Semiconductors to stop the publication of a scientific study into the security of the company's Mifare Classic contactless smart card chip technology.
NXP (Eindhoven, the Netherlands) had tried to stop researchers from the Radboud University Nijmegen from publishing details of how they had cracked and cloned the algorithms on the Mifare Classic device that is used in several public transport systems around the world, including in London's Oyster card network that is used by millions very day.
The court ruled that freedom of speech outweighs NXP's commercial interests. The judge said limitations to the freedom of speech are allowed only if there is urgent and obvious threat to society.
"This requires a balancing of interests," the court stated Friday (July 18) "It should be considered that the publication of scientific studies carries a lot of weight in a democratic society, as does informing society about serious issues in the chip, because it allows for mitigating of the risks."
Responding to today’s decision, Christophe Duverne, senior vice president and general manager for NXP’s Identification division told EE Times Europe: "We regret the ruling and still maintain it was an irresponsible decision by the researchers to attempt to publish such details. It could, potentially, benefit criminals."
Duverne stressed NXP would "continue to invest heavily in ensuring the security of the Mifare chips and systems, in which we believe the cryptography is adequate, push on with development of newer, more secure devices such as the Mifare Plus, and work with system integrators and operators to ensure speedy migration to systems with even higher levels of security."
In the meantime, he suggested, that since the publication f the research may "reduce the barrier to carry out actual attacks", systems integrators and operators of infrastructure using Mifare Classic cards, "may want to urgently review their systems."
He told EE Times Europe : "We took this action not to stifle research, but to protect our customers." And he maintained that the result would not harm NXP's efforts to push out the technology to other public transport systems or applications where Mifare is used, for instance in mobile phones.
"There is a huge momentum behind use of the Mifare technology, and of course being the leader in the field makes us a target and leaves us open to such actions."
Duverne added that the company is on track with the development of its Mifare Plus chip and system, which will incorporate even stronger cryptography mechanisms, being based on the AES standard and boasting 128-bit encryption rather than the original 48-bit. "We will be sampling the chip and system by the end of the year, but of course it will take longer to build it into secure cards."
The researchers and the University of Nijmegen argued that NXP has had sufficient time to repair the issues that had been identified in the paper, a draft of which was sent to the company ahead of the proposed publication at a computer security conference scheduled for October.
Karsten Nohl, a researcher with the University of Virginia previously has pointed out that NXP was first made aware of fundamental flaws in the chip's design in December 2007.
NXP to sue researchers over Mifare chip 'hack'
Researchers push open-source smartcard project to increase security
NXP mulls IP licensing for its Mifare platform
Mobile NFC moves closer to the money