What's irresponsible is proprietary vendors that *try* to hide their insecure products.
Chipmaker NXP, formerly Philips Semiconductors, is taking Dutch Radboud University to court on Thursday to prevent researchers publishing their controversial report on the Mifare Classic chip. Recently researchers from Radboud University in Nijmegen revealed they had cracked and cloned London's Oyster travel card. Earlier this …
What's irresponsible is proprietary vendors that *try* to hide their insecure products.
Great that they've found whatever flaws they have, but wouldn't it be better to give the organisations involved a reasonable amount of time to fix the problems? Or is this another case of research egos desperate for peer recognition?
Whats their reaction to a security breach found in their travel card scheme?
1. Fix the problem and deploy a patch?
2. Come up with a better system?
3. Ask people to brush it under the carpet/bury head in sand?
Got to love it. I'm sure if someone of less moral character than a local university had 'cracked' the system, they wouldn't be willing to just hide it under the carpet. The government should give those guys at the uni a medal for finding a vuln before it was misused by nogooders and look to patch it ASAP.
Because obviously it's better to sue them into silence than to just fix the problem that someone else will find...
is if the provider of the chip accepts the claim with no proof.
The governments thinking of using this chip must accept the claims of the researchers without proof.
And, if nothing is done, the proof shown so that the stupidity of ignoring the claim can be fully explored (by cracking the system and getting free rides because TFL wanted to use this chip despite knowing it was broken).
Caveat Emptor should work for the government too, you know.
I think the university is doing the right thing. They have said in the past they dont intend to include details of how to clone the card so that everyone else can start doing it, and this kind of provision of information and awareness to errors to the entire security community could prevent similar errors occuring in the future, as well as educating people to how to find and prevent them. If the chip maker has an insecure chip, fix it, dont sue the people that inform you its not secure. To the best of my knowledge the university hasnt been joy riding around london on a free oyster card!
Has intelligence and education become a thing to be feared by chip makers now, so much so that they feel they have to stop people learning from past experiments and research?
[Paris, because she can relate to NXP's clueless nature.]
NXP product has a flaw, the researchers found it, they have a DUTY to reveal that flaw. When it comes to security, we fix the product, not the PR. NXP would be liable if someone bought their products and NXP had concealed a flaw in it.
Likewise the courts shouldn't help NXP conceal the flaw.
You know I'll bet that Darth Vader sued the people that published the research on the small thermal exhaust port on the death star instead of doing something about it too...
Couldn't the uni give NPX an advance copy of its paper with a 3-month deadline after which it will be openly published?
That's right, if the scheme's abused it'll be the fault of those pesky researchers publishing their data, nothing to do with the folks that designed the insecure scheme in the first place.
Makes me sick the amount of cover-up the average government and/or corporation seems to try and do, and the blame they constantly push onto other parties in order to try and avoid any blame.
Paris, because she probably knows just as much about smartcard security as the NXP folks
Security through obscurity does not work. If this report is NOT published NXP will try to pretend that the problem has gone away. If it IS publishe then they will have to fix the problems.
From the article:
"NXP was sent a copy of the report for review."
And do not forget that with the police trawling through the oyster db at will looking for people to blame for every crime, like protesting against the gordonment, thinking for yourself, saying the government is anything less than god etc, if they accept anyone can clone a card will mean that their little data mine is worthless, I just hope there is a big enough stink about this that everyone learns the cards can be cloned and this police misuse of the oyster db is stopped by being laughed out of court whenever it is used / attempted
Just recoup the costs by selling 'infinite credit' travel cards.
Who's to say there aren't already clone cards out there, plenty of people apart from the universities 'research' card security but they are generally out to make a quick buck.
Paris, 'cause you'd not need oysters with her around...
I understand that data from this oyster system has already been used to track alleged crooks, and maybe even in court.
You can bet there's more than just the manufacturer that doesn't want the cloning technique published. Law enforcement love these big brother systems, and they don't half get upset when they are undermined..... because without it they might have to do real police work... and they might actually end up with the right person (if they can't beat a confession out of who they nick anyway).
...just forget the egos (of those that found the flaw and those that made it) - just fix the problem. Give Oyster a preview of the flaw and some time to fix it - then publish the report for the glory. Although flawed Oyster does work (most of the time?) - or should we just go back to loose change?
Just because houses catch fire and burn down - should we all be fire starters to prove a point?
every customer of NXP who has been sold an insecure card solution that is not fit for purpose....
"You know I'll bet that Darth Vader sued the people that published the research on the small thermal exhaust port on the death star instead of doing something about it too..."
Worse than that - many Bothans died to bring us this information.
I side with the "Give NXP plenty more time to fix it first".
There are a lot of people here very agressive against a company that made a security mistake (which is hard not to do if people try hard enough to crack it).
I doubt a bunch of crooks is going to make any serious efforts to clone the card themselves if it requires too much time/effort - because they will be known to be offering clones quite quickly and then they only have a limited sales time before the company rolls out a fix. If the university publishes the flaw in detail, then the cost/benefit equation to the crooks is going to be more favourable. Lots of people can jump on the flaw and quickly figure out how to offer clones - and voila the taxpayer has to stump up extra cash the following year to cover the loses.
Actually, as I recall, the Dark Lord of the Sith had a rather more direct (and lethal) approach to dealing with the incompetence of his subordinates. Besides, even the Sith draw the line at involving lawyers - a man has to have SOME standards.
Leave a copy of it on the Tube.
Works for HM Gov...
Legal action won't help; now that it's known to be possible, someone else will soon find out how to do it and they may not have just an academic interest.
PH because I just have an academic interest in her.
They've had the original report for some time now, and have been sent a copy of the definite report, which we are talking about now, too. So why haven't they verified the results and fixed the problem? And as far as I know, they have better protected chips they can use, this is a fairly old design, but I'd wager it's cheaper?
Paris, because she's both cheap and expensive..
why was an error found in it?
While kit is designed by the humand mind there will be human detectable vulneabilities - live with it! The higher the claimed invulnerability/suitability, the greater the take up, the greater the "egg on face" when it all goes titsup. Education (& Research) is expensive but try ignorance for a real costs!
I'm happy the product had such a long and effective life - which may be extended - and even happier that the research folks have put their intellect to constructive use rather than irresponsibly exploiting the vulnerabily.
Or have I missed something here??
The subject of the security of mifare cards grabbed my interest after I watched the presentation at the 23rd Chaos Communications Congress on Mifare security.
The video of this presentation can be found on Google video here:
There is also a short video discussing the wider problems this discovery causes rather than just the technical aspects of it here:
They are well worth watching.
After all, we are the only country in the world with Freedom of the Press enshrined in our Constitution. That's why the US has nothing like the Brits "Official Secrets Act", and even the New York Times outing of a CIA worker a few weeks ago has no consequences.
The problem with letting NXP have time to fix any flaws is that ts does not encourage chip makers (or any security product vendors for that matter) to use well established, peer reviewed methods that ensure a highly secure system. The more we can shame them in public, hopefully, the more they will realise that there is always someone with a PhD waiting to hack them.
How many times have we seen this happen? Take the car door locking system that has been hacked for example, as long as vendors insist on using proprietary systems they will continue to come up against researchers breaking their poorly designed code.
I used to work for a Dutch owned firm...they're all fuckwits who've had too many schmokes!
"Worse than that - many Bothans died to bring us this information."
Why? If the empire were killing Bothans to stop the information getting lose then surely they knew about the problem and... oh... I see... so should we expect an opening in the University's Security Research Department.
The reason researchers publish papers is not to satisfy their egos. It is that otherwise they don't get jobs.
Thanks to their work, the guys involved apparently obtained funding for the next two years. Who would pay them if they didn't publish it?
They gave NXP only six months to fix it, but if this is a security flaw that cannot be fixed in six months, it probably means they can't fix it at all, no matter how much time they have. Trying to silence the researchers is like hiding your head in the sand.
I hope for NXP that they were aware of the potential problem before choosing the chip (if not, they are a bunch of incompetent twats).
It's been publicly unraveled as early as January this year that the chip is vulnerable.
NXP has a copy of the full (detailed) paper.
Not to mention that choosing this chip was a deliberate "error", the paper won't be published before October.
So NXP have (had) nine month to fix the problem. I bet they didn't even start looking seriously into it. Let's give them more time, right. Like, 5 years? 10 years?
Flog it to criminals. Researchers get cash and a happy audiance, nobody knows about the problems becouse if you can't see it it isn't really there, and the criminals get free reign of the transport system.
O I know, just fab like 100,000 free cards and have a youtube/facebook/myspaz//dot give away bonanza.
That'd be pretty funny.
NXP, as the coy mistress and Dutch University as the Importunate Suitor -what a Marvell_ous idea, Andrew!
Don't be shy guys -underneath that rouge and rage within the machine, NXP would love to embrace for a full-on Hi-tech transfer Win-win, grin-grin.
NXP get a world-class oyster upgrade plus a string of positive publicity points, as well as first dibs on keen potential employees.
The University get a free lesson on turning enemies into friends -AI Gain far Beta than any money can provide.
"Although flawed Oyster does work (most of the time?) - or should we just go back to loose change?"
And what's actually fucking wrong with REAL MONEY, you know notes and coins??
Paying at the till with a card is NOT quicker.
If everyone still used real money instead of plastic, then I suspect we wouldn't be in quite such a bad state now because when they can see all of their money right in front of their eyes then they'd be less inclined to buy things they can't afford.
.....PUBLISH AND BE DAMNED.
In the meantime, @AC who said that NXP should be sued by its customers - the best way to make that happen is for the end users of Mifare Classic cards to sue the providers (NXP's customers) for lost credit or security fears on the systems that use these cards.
What does this weakness do to user confidence of any cards (superior MF cards or from other sources), as presumably NXP didn't know that they were punting something that was <100%???
Isn't it a bit weird that the Dutch national transport card has been postponed indefinitely, yet the same cards are still OK elsewhere?
Standby for the new Dutch book on management, "Who moved my Mifare card?"
I think I'd just admit the research was mistaken and accept the company's assurance that the system is 100% secure. Get it in writing. Then, when you're caught selling cloned cards, how are they going to prosecute you for doing something that everyone agrees is impossible?
You can't have it both ways.
These researchers are absolutely right to publish details of the security vulnerability; and if doing so leads to transport operators losing money, then NXP should be held liable for all such losses. After all, they've had plenty of time. And they need to make a lot of noise about it, in order to shatter ignorant people's reliance on badly-designed proprietary cryptosystems.
**Any** cryptosystem that depends on **anything** other than the decryption key being kept secret, is **inherently faulty**. That is not hard to understand, at least if you're a hac ..... sorry ..... a computer security researcher. It may be fashionable for corporations to try to keep secrets; but this needs to be brought to an end, and soon, because it is harming their customers.
How the Vigenère cipher works is not a secret. But with a long enough key phrase and a short enough message, it's still demonstrably unbreakable.
If I read the statement of Nijmegen University (which btw is on http://www.ru.nl/home/nieuws/icis/radboud_universiteit/, the URL in the article is invalid) the researchers had completed their research to a stage where they could safely sound the alarm in March. "Because of her responsibility to society the university has immediately and confidentially notified the national government and NXP of the results of the independent investigation to the Mifare Classic Chip. Upon which the minister of interior affairs made the problems with the chip known and indicated the university would, in due time, publish the results." is a rough translation. The statement continues that the researchers very consciously didn't reveal any details about the flaws in the chip to give stakeholders, among which NXP, the change to do something.
So that's one thing: responsible disclosure would seem to have taken place.
Another thing is I recall reading about the national outcry over the chip issue (mind you, this whole chippifying of Dutch public transport tickets has already cost an amazing 1.000.000.000 EUR. Yes, that's 9 zeros) that after the tendering procedure the Dutch government deliberately chose the flaky chip on the ground of it being cheapest. Duh. The articles appearing at that time clearly indicated NXP has a good replacement.
What I guess is happening here is NXP desperately trying to put off the moment at which they really need to end-of-life their Mifare Classic chip. My assumption is that they are still making an interesting amount of money from it. Sudden EOL is not really a cheap way to phase out that product, I can imagine. Now if I am *not* cynical about corporate human reasoning capability I am tempted to think they carefully weighed the PR risk of the trial against the financial risk they're running and went ahead with sueing the researchers.
I don't believe this to be true however. I'd guess it will be a combination of seeing the prospect of a nice revenue stream evaporating at great cost, not understanding how the academic world functions (publish or perish anyone?) and not understanding what motivates academic researchers to begin with (there is definately a strong desire to simply do what is right for the greater good) and probably a nice dosage of corporate ignorance and arrogance ('s not fair!) that really motivates them.
To conclude my comments: I've worked with Mr. Jakobs and his team on several occasions and have experienced them as security researchers and academics with a very high degree of integrity and a thorough understanding of the sharp edges of security research, like disclosure. Kudos to him and his team and kudos to the university for supporting him in doing the Right Thing. And lovely publicity of course for all of them, academic freedom, furthering society etc. This is a really nice example of the benefits of having institutions like universities.
Thanks, URL fixed now.
Is this the same sort of legal stand they would take to stop someone posting the way that ROT13 can be broken? ;-)