Mifare manufacturer NXP files suit against security researchers
Chip manufacturer NXP, formerly the semiconductor division of Philips and well-known for its Mifare RFID chips, has filed suit against a group of researchers at Radboud University in Nijmegen, Holland. According to information provided by the company, the suit is intended to prevent the scientists from their planned October publication of the results of their research on the poor security of the Mifare Classic chip, a security product that has been sold billions of times over around the world. NXP spokesman Martijn van der Linden told Webwereld.nl web magazine, "We consider publication irresponsible."
The Mifare Classic chip made headlines early this year after scientists associated with the CCC scene, in cooperation with the University of Virginia, derived the secret encryption algorithm from the hardware and discovered glaring security vulnerabilities in it. The work of the Radboud researchers is also based on this information. According to estimates, billions of the chips are in use worldwide, especially in the areas of city transit fare cards, cafeteria cards, and building access control.
In security circles, people are trying to make sense of NXP's actions. One take on it is that the media impact of the suit could slow or prevent other publications related to the Mifare Classic vulnerability. NXP is planning on launching the Classic-compatible Mifare Plus chip, generally considered secure, onto the market early next year. Another reason for the suit may be to take the wind out of the sails of potential legal actions against NXP from large Mifare clients.
Still, it is questionable whether NXP can prevent the details from being published. According to Karsten Nohl, one of the discoverers of the vulnerability, the details can be deduced, by someone with the right expertise, from the papers that have already been published. Nohl believes that the only effect of this suit will be that, "in future, groups doing research on Mifare will simply not send their results to NXP, ahead of time."
- Vulnerabilities in the Mifare Classic RFID system confirmed
- Is the MiFare Classic RFID system blown?