Researchers at Radbound University Niumegen got their day in court and will now be allowed to publish their Oyster card system vulnerability findings.

Despite the complaints of NXP, manufacturer of the Mifare Classic Chip used on the Oyster cards, the judge has ruled in favor of “freedom of expression,” says the university.

The Oyster card is used by commuters to pay fares on London’s Tube ticketing system. The same technology is also used in access cards used to enter secure locations.

According to Wired, last March, the researchers, led by Professor Bart Jacob, effectively and effortlessly cloned these smartcards. They used a simple laptop to wirelessly hack into card readers and retrieve their cryptographic key, thus turning their laptop into a portable key reader. Next, they bumped into people who carried these Oyster cards and scanned them. From there it was a simple matter of creating new cards from the uploaded information.

Ok, so a bunch of hackers got a hold of a few key cards. No big deal right? Well it is a big deal when you realize that there are more than 17 million of these cards in circulation, some of which are used for public transit, building security, and government access control schemes.

The research team informed the Dutch government and NXP of their findings, and withheld any details of their findings to the general public. The Dutch government quickly began replacing their cards, deeming this as “a national security issue,” according to a spokesman for the Dutch Interior Ministry.

However, the NXP decided to take legal action and filed an injunction against Professor Jacobs and the University in order to prevent publication of article. The university believed “such a ban would inhibit the academic freedom to carry out research, including the freedom to publish. In the opinion of the University, the evidence-based results of this research must find their way into the public sphere in order to achieve societal significance.”

Fortunately, according to Ars Technica, the courts agreed with them. They cleared the researchers to publish the article in October 2008. Details about this article will be disclosed at a security conference in Malaga.

The NXP isn’t too happy with the judge’s decision though. They believe it’s “contradictory to the scientific goal of prevention and the responsible disclosure of sensitive information.”

Different installations have different security requirements… Its not conceivable that they all would have their security upgraded to the necessary level in a period of months until this paper is published; these upgrades will take up to a number of years.

Although this is true, I don’t believe NXP handled the situation very well and it’s just going to have to live with the consequences of their actions. If they wanted more time to upgrade their card system then perhaps the company should have taken the appropriate steps to do that, whether that would be negotiating with the researchers or appealing to the courts for more time, rather than kill the article all together and prevent the researchers from receiving any credit for their work.

Related:

Entry was posted on Sunday, July 20th, 2008 at 11:09 pm under Hacking, Security.

Read more entries by TJ Kirchner.
Stumble It!