Home Home | Current issue Current issue | Forum and Community Forum & Community | Onekit's Software OneKit's Software
Login: Password: Forget password? / Register New User 
Games Graphics & Design MP3 & Audio Internet & Networks System & Utilities Home & Education Business WebDev SoftDev
Issue: July 2008 > Home & Education > Article "Court rules university can publish Oyster crack"
Advertisement on Onekit.com Software Magazine

Court rules university can publish Oyster crack (Court rules university can publish Oyster crack)  Court rules university can publish Oyster crack

Home & Education
A university can publish details of research detailing the cryptographic cracking of the Oyster travel smartcard, a Dutch court has ruled.

The court in Arnheim found on Friday that Radboud University could publish the paper. Chip company NXP Semiconductors, which manufacturers the Mifare Classic chips used in the Oyster card, had tried to halt the publication of the paper through the court. The Oyster card is widely used on London Underground.

A spokesperson for Radboud University told ZDNet.co.uk said the result was "important for freedom of expression".

"Being allowed to publish is fantastic for us," said the spokesperson. "The judge ruled that, in a democratic society, it's of great importance that scientific research can be published."

The judge found that, according to Article 4 of the Principle of the Freedom of Expression enshrined in Dutch law, the paper should be published. Radboud University said it had already delayed publication of the paper until October to give those involved, including NXP, the opportunity to "take the necessary steps".

NXP warned all suppliers and organisations using Mifare Classic that they may need to conduct urgent security reviews. "Based on today's decision, affected parties, such as system integrators and operators of infrastructures using Mifare Classic cards, may want to urgently review their systems," the company said.

Christophe Duverne, NXP's general manager of identification, told ZDNet.co.uk that the paper could give hackers the means to successfully attack systems using Mifare Classic, including the Transport for London system.

"Publishing the means [to attack] is not responsible behaviour," said Duverne. "It would be easy to portray us as the bad guys, trying to keep everything to ourselves, but the fact that we asked to delay publication is about trying to protect the interests of our customers."

Duverne said that delaying until October would not give customers enough time to change their systems. "You have to understand there is a level of stickiness in infrastructures and solutions," he said. He admitted, however, that NXP's legal action against Radboud University may have brought the flaw to potential hackers' attention.

"I wouldn't say security through obscurity is bad practice, and, yes, of course, [the court case] could create an incentive for hackers to have a go at it," said Duverne. "But this is not about keeping obscure, this is about responsible public behaviour."

The paper is understood to give details of how university researchers cracked the Oyster card, rode on the London Underground for free, and jammed Underground gates, closed through a denial-of-service attack.

Transport for London, which is in charge of implementing the Oyster smartcard, was unavailable for comment at the time of writing.
July 20, 2008 Author: Tom Espiner


There is no user's comments | Post your comment

Related Links:
Advertisement Advertisement
about / contact us | Copyright 2003-2009 - Software Magazine, onekit.com, Legal Notices