April 23, 2014

avatar

Transit Card Maker Sues Dutch University to Block Paper

NXP, which makes the Mifare transit cards used in several countries, has sued Radboud University Nijmegen (in the Netherlands), to block publication of a research paper, “A Practical Attack on the MIFARE Classic,” that is scheduled for publication at the ESORICS security conference in October. The new paper reportedly shows fatal security flaws in NXP’s Mifare Classic, which appears to be the world’s most commonly used contactless smartcard.

I wrote back in January about the flaws found by previous studies of Mifare. After the previous studies, there wasn’t much left to attack in Mifare Classic. The new paper, if its claims are correct, shows that it’s fairly easy to defeat MIFARE Classic completely.

It’s not clear what legal argument NXP is giving for trying to suppress the paper. There was a court hearing last week in Arnheim, but I haven’t seen any reports in the English-language press. Perhaps a Dutch-speaking reader can fill in more details. An NXP spokesman has called the paper “irresponsible” but that assertion is hardly a legal justification for censoring the paper.

Predictably, a document purporting to be the censored paper showed up on Wikileaks, and BoingBoing linked to it. Then, for some reason, it disappeared from Wikileaks, though BoingBoing commenters quickly pointed out that it was still available in Google’s cache of Wikileaks, and also at Cryptome. But why go to a leak-site? The same article has been available on the Web all along at arxiv, a popular repository of sci/tech research preprints run by the Cornell University library.

[UPDATE (July 15): It appears that Wikileaks had the wrong paper, though one that came from the same Radboud group. The censored paper is called "Dismantling Mifare Classic".]

As usual in these cases of censorship-by-lawsuit, it’s hard to see what NXP is trying to achieve with the suit. The research is already done and peer-reviewed,. The suit will only broaden the paper’s readership. NXP’s approach will alienate the research community. The previous Radboud paper already criticizes NXP’s approach, in a paragraph written before the lawsuit:

We would like to stress that we notified NXP of our findings before publishing our results. Moreover, we gave them the opportunity to discuss with us how to publish our results without damaging their (and their customers) immediate interests. They did not take advantage of this offer.

What is really puzzling here is that the paper is not a huge advance over what has already been published. People following the literature on Mifare Classic – a larger group, thanks to the lawsuit – already know that the system is unsound. Had NXP reacted responsibly to this previous work, admitting the Mifare Classic problems and getting to work on migrating customers to newer, more secure products, none of this would have been necessary.

You’ve got to wonder what NXP was thinking. The lawsuit is almost certain to backfire: it will only boost the audience of the censored paper and of other papers criticizing Mifare Classic. Perhaps some executive got angry and wanted to sue the university out of spite. Things can’t be comfortable in the executive suite: NXP’s failure to get in front of the Mifare Classic problems will (rightly) erode customers’ trust in the company and its products.

UPDATE (July 18): The court ruled against NXP, so the researchers are free to publish. See Mrten’s comment below.

Comments

  1. Gerrie says:

    The fact that is disappeared from wikileaks is probably because they realised that they had the wrong paper. The ESORICS papers is not called “A Practical Attack on the MIFARE Classic” (that is going to CARDIS 2008) but “Dismantling Mifare Classic”.

  2. Bob Jonkman says:

    There’s a bit of activity on the news sites about NXP now.

    http://www.google.ca/news?q=NXP+arnhem
    http://ixquick.com/do/metasearch.pl?query=nxp+arnhem

    Do you have a link to the Dutch article? I can make a stab at translation…

    –Bob.

  3. Mrten says:
  4. Spudz says:

    It was probably yanked from wikileaks because it wasn’t actually a leak; it’s available at arxiv, like the newer paper, I expect.

    If the newer one had been suppressed, including disappearing from arxiv, it would probably have found its way to wikileaks and persisted there.

    In the meantime, the very notion of a contactless smartcard gives me the willies. And Europe is, in other aspects, more concerned with privacy than in the States?!

    Nevermind that some fraudster just has to get close enough to your right hip pocket with a reader device of some kind and maybe they can charge money to you — but they might also get information, perhaps enough to engage in identity theft, or at least to target a confidence scheme of some sort.

    And then there’s the question of whether that business-suited man that just brushed past you in a busy crowd is actually a G-man, and with a gadget in his own pocket and a backdoor into the encryption used by your smart cards (all from private vendors and using proprietary schemes, no doubt) he’s just learned a great deal about you, and about everyone else in the crowd. Your name, address, social security number. How much money you are able to pay on the spot, which may correlate with your income. Maybe your recent purchases, or recent travel movements.

    Scared yet? Now imagine you’re at a peaceful demonstration, or even just trying to bull your way through one to the office, and there’s spooks working the crowd inconspicuously harvesting everyone’s bona fides for use in some later crackdown.

    Begin to fear for your freedom, privacy, free-speech rights, and ability not to get harassed or worse simply from having been in the wrong place at the wrong time (by someone’s definition of “wrong”, someone accountable to almost no-one).

    Gimme a card that someone has to actually swipe through a reader to read anyday.

  5. eee_eff says:

    UPDATE (July 18): The court ruled against NXP, so the researchers are free to publish. See Mrten’s comment below.

    Of decreasing relevance–it would just show up on wikileaks anyway. If not there, I’ be sure to publish on my blog asap.