A Dutch court has given university researchers the OK to publish their research about security flaws in the RFID chips used in up to 2 billion smart cards. The cards are used to open doors in corporate and government buildings and to board public transportation systems.
Court Arnhem in The Netherlands late last week denied a request by NXP Semiconductors to keep researchers at Radboud University Nijmegen from publishing a paper about reported security flaws in its pp=t=pfp,i=41863 RFID chip.
The paper is slated to be presented at the Esorics security conference in Malaga, Spain, in October.
In a statement e-mailed to Computerworld Wednesday, Henri Ardevol, a general manager at NXP warned that system integrators and operators of infrastructures using the MIFARE Classic cards should "urgently review their systems.
"NXP's objective, as the manufacturer of MIFARE Classic chips, is to transparently update all system integrators and operators of infrastructures which use MIFARE Classic in a timely manner, so that they can take the appropriate measures to upgrade the security of their systems," wrote Ardevol. "Different installations have different security requirements, however it is not conceivable that they all will have their security upgraded to the necessary level in a period of months until this paper is published; these upgrades will take up to a number of years."
He added that the company will work with customers and partners to improve their systems.
For its part, the university celebrated the court's decision.
"The judge has ruled that publishing this scientific article falls under the principle of freedom of expression and that in a democratic society it is of great importance that the results of scientific research can be published," the university said in a statement posted on its Web site. "In the opinion of the university, the evidence-based results of this research must find their way into the public sphere in order to achieve societal significance."
Neither NXP nor the university responded to interview requests before deadline.
In the statement, the university said that its researchers had previously notified both the Dutch government and NXP about the results of the research. The school also pointed out that it had "deliberately withheld further details" about flaws in the chip's security so the company would have time to address the problems.
Karsten Nohl, a graduate student who was part of a research group that originally broke the smart card's encryption last year, told <i>Computerworld</i> in a previous interview that he gave his research to the Dutch university so it could build on what he had done, and he has been closely following its progress.
"I think it's crucial that it's published in an academic conference where researchers can work on solutions," said Nohl.