Friday, July 25, 2008

RFID company sues college researchers for exposing defects

This another ugly trend in big business: www.computerworld.com/action/article.do?command=printArticleBasic&articleId= 9109139 Chip maker sues to quash research on RFID smart card security flaws Researcher says chip hack could crack open 2 billion cards, By Sharon Gaudin July 10, 2008 (Computerworld) A semiconductor company is suing a Dutch university to keep its researchers from publishing information about security flaws in the RFID chips used in up to 2 billion smart cards. The cards are used to open doors in corporate and government buildings and to board public transportation systems. NXP Semiconductors filed suit in Court Arnhem in The Netherlands against Radboud University Nijmegen. The company is pushing the courts to keep university researchers from publishing a paper about reported security flaws in the MiFare Classic, an RFID chip manufactured by NXP Semiconductors. The paper is slated to be presented at the Esorics security conference in Malaga, Spain, this October, according to Karsten Nohl, a graduate student who was part of a research group that originally broke the encryption last year. Nohl told Computerworld on Thursday that he gave his research to the Dutch university so it could build on what he had done, and he has been closely following its progress. "I think it's crucial that it's published in an academic conference where researchers can work on solutions," said Nohl. "I don't think there's any good outcome for NXP. Say they were to win. They'd be keeping information away from the academics who might come up with solutions." NXP declined to be interviewed for this story but said in an e-mailed statement, "We cannot give further comments at this time, as it is in the hands of the court and the court has given a confidentiality order." Representatives from the university did not respond before deadline. Call out the military Nohl said the problem lies in what he calls weak encryption in the MiFare Classic smart card. In March, he said that once he had broken the encryption, he would need only a laptop, a scanner and a few minutes to get the cryptographic key to an RFID door lock and create a duplicate card to open it at will. Since the MiFare Classic smart cards use a radio chip, Nohl said he easily can scan them for information. If someone came out of a building carrying a smart card door key, he could walk past them with a laptop and scanner in a backpack or bag and skim data from their card. He also could walk past the door and scan for data captured to the reader. Once he's captured information from a smart card and/or the card reader on the door, he would have enough information to find the cryptographic key and duplicate a smart card with the necessary encryption information to open the door. He said the whole process would take him less than two minutes. And that, according to Ken van Wyk, principal consultant at KRvW Associates, is a big security problem. "It turns out it's a pretty huge deal," said van Wyk in a previous interview. "There are a lot of these things floating around out there. Using it for building locks is the biggy, especially when it's used in sensitive government facilities -- and I know for a fact it's being used in sensitive government facilities." Van Wyk noted in March that one European country had deployed soldiers to guard some government facilities that used the MiFare Classic chip in their smart door key cards. "Deploying guards to facilities like that is not done lightly," he said. "They recognize that they have a huge exposure. Deploying guards is expensive. They're not doing it because it's fun. They're safeguarding their systems." Van Wyk declined to identify the European country under discussion. Vintage technology Manuel Albers, a spokesman for NXP Semiconductors, said previously that the company had confirmed some of Nohl's findings. However, he said there are no plans to take the popular chip off the market. "The MiFare chip was first introduced in 1994. At the time, the security level was very high," he said in an interview. "The 48-bit key length for encryption was state of the art." In an earlier interview Albers noted that NXP recently released MiFare Plus, which is backward-compatible with the MiFare Classic while offering better security. He said the company did not release the updated chip because of Nohl's findings, but it did use some of his information when designing it. In a statement on its Web site, the university notes that Mifare smart cards are widely used to control access to buildings and facilities. "All this means that the flaw has a broad impact," according to the release. "Because some cards can be cloned, it is in principle possible to access buildings and facilities with a stolen identity. This has been demonstrated on an actual system. In many situations where these cards are used, there will be additional security measures; it is advisable to strengthen these where possible." The university added that this past March, its researchers informed its government, the Dutch Signals Security Bureau of the General Intelligence and Security Service, and NXP Semiconductor about their findings. In an interview on Thursday, van Wyk said publishing security research is a common pursuit, but it's a bit harder to deal with for a hardware company. "You have an RFID chip deployed by the millions," said van Wyk. "Switching that around is extremely costly and won't happen very quickly. It could be it will take them months or a year to do that." Van Wyk added that it's a "scary" situation for the companies and organizations using these smart cards. "If they're using that for access control to buildings, they'd have to make major changes to their whole access system," he said.