NXP sues to silence Oyster researchers
Report publication 'irresponsible'
Chipmaker NXP, formerly Philips Semiconductors, is taking Dutch Radboud University to court on Thursday to prevent researchers publishing their controversial report on the Mifare Classic chip.
Recently researchers from Radboud University in Nijmegen revealed they had cracked and cloned London's Oyster travel card. Earlier this year the researchers did the same to the Dutch MIFARE travel card. This card is to replace paper tickets on all trams, buses, and trains and is already undergoing trials in Rotterdam.
The Dutch researchers are planning to publish their scientific paper, appropriately named Dismantling MIFARE Classic, in October in Spain at Esorics, the European computer security conference. It will contain details not found in a preliminary report that is already available (pdf).
Earlier, Dutch secretary of state Tineke Huizinga urged the university to not publish any secrets that may lead to abuse.
Spokesperson for NXP Martijn van der Linden told Dutch news site Webwereld that publishing the report is 'irresponsible'. NXP was sent a copy of the report for review.
In a statement (Dutch only) the university says it will not retract its publication, "as it is our duty to publish scientific research that could lead to better security technology". ®
Is this the same sort of legal stand they would take to stop someone posting the way that ROT13 can be broken? ;-)
Re: ample time, money likely the excuse
Thanks, URL fixed now.
ample time, money likely the excuse
If I read the statement of Nijmegen University (which btw is on http://www.ru.nl/home/nieuws/icis/radboud_universiteit/, the URL in the article is invalid) the researchers had completed their research to a stage where they could safely sound the alarm in March. "Because of her responsibility to society the university has immediately and confidentially notified the national government and NXP of the results of the independent investigation to the Mifare Classic Chip. Upon which the minister of interior affairs made the problems with the chip known and indicated the university would, in due time, publish the results." is a rough translation. The statement continues that the researchers very consciously didn't reveal any details about the flaws in the chip to give stakeholders, among which NXP, the change to do something.
So that's one thing: responsible disclosure would seem to have taken place.
Another thing is I recall reading about the national outcry over the chip issue (mind you, this whole chippifying of Dutch public transport tickets has already cost an amazing 1.000.000.000 EUR. Yes, that's 9 zeros) that after the tendering procedure the Dutch government deliberately chose the flaky chip on the ground of it being cheapest. Duh. The articles appearing at that time clearly indicated NXP has a good replacement.
What I guess is happening here is NXP desperately trying to put off the moment at which they really need to end-of-life their Mifare Classic chip. My assumption is that they are still making an interesting amount of money from it. Sudden EOL is not really a cheap way to phase out that product, I can imagine. Now if I am *not* cynical about corporate human reasoning capability I am tempted to think they carefully weighed the PR risk of the trial against the financial risk they're running and went ahead with sueing the researchers.
I don't believe this to be true however. I'd guess it will be a combination of seeing the prospect of a nice revenue stream evaporating at great cost, not understanding how the academic world functions (publish or perish anyone?) and not understanding what motivates academic researchers to begin with (there is definately a strong desire to simply do what is right for the greater good) and probably a nice dosage of corporate ignorance and arrogance ('s not fair!) that really motivates them.
To conclude my comments: I've worked with Mr. Jakobs and his team on several occasions and have experienced them as security researchers and academics with a very high degree of integrity and a thorough understanding of the sharp edges of security research, like disclosure. Kudos to him and his team and kudos to the university for supporting him in doing the Right Thing. And lovely publicity of course for all of them, academic freedom, furthering society etc. This is a really nice example of the benefits of having institutions like universities.