Skip to comments.Dutch university can publish controversial Oyster research
Posted on 07/20/2008 12:29:47 AM PDT by Schnucki
Dutch researchers will be able to publish their controversial report on the Mifare Classic (Oyster) RFID chip in October, a Dutch judge ruled today.
Researchers from Radboud University in Nijmegen revealed two weeks ago they had cracked and cloned London's Oyster travelcard and the Dutch public transportation travelcard, which is based on the same RFID chip. Attackers can scan a card reading unit, collect the cryptographic key that protects security and upload it to a laptop. Details are then transferred to a blank card, which can be used for free travel.
Around one billion of these cards have been sold worldwide. The card is also widely used to gain access to government departments, schools and hospitals around Britain.
Chipmaker NXP - formerly Philips Semiconductors - had taken Radboud University to court to prevent researchers publishing their controversial report on the chip during a the European computer security conference in Spain this autumn. Spokesperson for NXP Martijn van der Linden said that publishing the report would be "irresponsible" - understandably, the company fears criminals will be able to attack Mifare Classic-based systems.
However, the judge today ruled that freedom of speech outweighs the commercial interest of NXP, as "the publication of scientific studies carries a lot of weight in a democratic society".
The researchers have always said they don't intend to include details of how to clone the card and that publications could prevent similar errors occurring in the future. NXP says it is disappointed with the ruling.
“.....However, the judge today ruled that freedom of speech outweighs the commercial interest of NXP, as “the publication of scientific studies carries a lot of weight in a democratic society”.........”
This guy must be looking for a position on our Supreme Court. Is Obama due to visit there?
It is hardly news; any computer based system that is publicly accessible can be hacked.
The sellers of this system and the buyers knew this, so what is there to argue about if the publication will not give details on the how to do the hack.
Talk about a misleading title!
The world is my Oyster . . . card.
The secret cipher that secures Mifare Classic RFID tags used in access control systems, subway tickets, and various other security-related applications has recently been disclosed . Since the security of the Mifare cards partly relies on the secrecy of this algorithm, we concluded that the cards are too weak for all security-related applications since the algorithm can be found with modest effort. A report for the Dutch government that assesses the impact of our findings on a nationwide ticketing system in the Netherlands was released on February 29th . The report confirms our findings, but asserts that systems will likely be secure for another two years since the attack is still costly. In the report, the attack is estimated to require $9,000 worth of hardware to break secrets keys in a matter of hours. We argue that this is a gross over-estimate and present an attack that recovers secret keys within minutes on a typical desktop PC or within seconds on an FPGA. Our attack exploits statistical weaknesses of the cipher.
(From http://www.cs.virginia.edu/~kn5f/pdf/Mifare.Cryptanalysis.pdf, by Karsten Nohl.)
From the article, Dutch boffins clone Oyster card, also from The Register, it appears that the threats are not simply theoretical since the researchers were able to exploit it to gain access to the London subway and to a government building in Holland:
Earlier this year the researchers cloned the new Dutch Mifare travel card. As a result, the introduction of the 1bn transport payment system in the Netherlands has now been postponed. They also managed to clone a swipe access card to a public building in the Netherlands. According to some reports, the Dutch government immediately posted armed guards outside all its buildings and now plans to spend millions of euros upgrading its system.
Yes, but it is the responsibility of those protecting the data to make sure the encryption is strong enough that the value of the data being protected is significantly less than the cost of breaking the encryption.
That clearly isn’t the case here.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.