Contactless Smart Cards, RFID, Payment, Transit and Security

Nohl: NXP making ‘terrible decision’

Thursday, July 10, 2008 in News

Dutch semiconductor manufacturer NXP is making a mistake suing Radboud University Nijmegen in the Netherlands, says Karsten Nohl, a University of Virginia graduate student who worked with others to break the MIFARE cryptographic algorithm. “It’s a terrible decision, there is no legal case to be made,” Nohl says. “This was reverse engineered legally without any help from NXP.”

NXP has sued the university to block details of a security flaw in NXP’s MIFARE Classic contactless smart cards. The MIFARE Classic line of products is possibly the world’s most widely deployed contactless product, used for many transit and physical security applications.

The university had sent its research to NXP for review before publishing it, Nohl says. The university did this to inform NXP of the vulnerability in hopes that the chip manufacturer would remedy the situation and inform users that the systems are weak. In the future researchers might not be as kind and instead just publish the research without letting NXP review it first. While Nohl has just about completed his work on MIFARE, if he were to do any additional work he would probably publish it without pre-informing NXP.

Nohl is planning on releasing his research on MIFARE in August. He has been working with NXP and doesn’t think he will be sued. “I had been invited to meet with and discuss how to make their technology more secure,” he says.

Also, Nohl’s research is more theoretical while the university’s actually shows individuals how to crack the security of the chip, he says. “NXP has no problem with what we have,” he says. “The research isn’t about breaking the card but we describe the method of how the card is broken.”

The hearing to prevent the university from publishing its research was held in Dutch court today, but a decision isn’t expected until next week, Nohl says.

The MIFARE Classic line includes the MIFARE 1K, MIFARE 4K and MIFARE Mini products. They are used worldwide in transit fare collection systems, access control solutions, and government ID systems. Large issuers include transit projects such as London’s Oyster program, The Netherlands’ OV-chipkaart, and Boston’s Charlie Card.

For more information see our previous coverage here[end] 

Related Articles
Ads by AVISIAN
Cards & Payments Latin America

From smart bank cards to contactless payment, smart cards are a hot technology across Latin America. To learn about the latest market developments and how to profit from the rapid growth of this technology, you need to attend
Cards & Payments Latin America.
Miami, FL-September 22-24

Click to learn more

Listen to the latest re:ID Podcast


The weekly podcast covers relevant issues and breaking news from AVISIAN's suite of ID technology publications.

Listen now.

Place your ad here for just $200

Text ads on ContactlessNews bring 90,000+ impressions each month.

Click to learn more