A CNET story this week says that the Dutch chipmaker NXP Semiconductors is suing a Dutch university to block publication of a paper that publicly details potential security flaws in the company’s widely-used Mifare Classic contactless smartcard.
A hearing is scheduled for today (10 July) in a Dutch court.
The headline, alas, is typical of these stories: "Dutch chipmaker sues to silence security researchers." With a headline like that, you don't even have to read the story to know what it says and what you're supposed to think about it.
This is the latest round in a controversy that sprang up last December at the 24th Congress of the Chaos Computer Club, where a trio of researchers gave some details of an apparently practical, effective, but still painstakingly manual, way to break the Mifare encryption key.
NXP responded to CNET via email saying little more than “We feel the publication would not be responsible.” The story also says that one of the original trio of crackers, Karsten Nohl, plans to publish his own paper on the topic in August.
The Mifare card is widely used around the world as the basis of wireless fare systems for bus and subway systems, as in the in the new Dutch OV-Chipkaart system being rolled out nationwide, and Boston, Massachusetts’ CharlieCard for subways.
Both Nohl is quoted as saying, in effect, that making such details public is a duty, a social responsibility so that security flaws can be fixed. Usually, a vendor is painted as opposing such disclosure because it’s embarrassing or damaging to its business or both.
But social responsibility cuts both ways. Security professionals and amateurs surely have a social responsibility to consider the potential harm their findings can cause if made public in detail and readily available. NXP’s general statement issued earlier this year on the Mifare site makes what I think are valid points.
And the paper closes with the statement: "Of course, nobody should be surprised that NXP will (pro)actively protect its legitimate interests in this respect." Apparently the university was surprised.
On the other hand, it’s hard to measure how open or transparent vendors really are to security feedback that comes from outside the rather small circle of their internal staff, their systems integrators, and sometimes industry groups, whose typical mandate is technology boosterism.
NXP earlier this year released the Mifare Plus http://www.mifare.net/products/mifare_plus.asp chip, with a set of changes that it says addresses many of the security concerns mentioned in the Chaos presentation.
|
|
