Written by …the Dutch Interior Ministry‘s spokesman said this is “a national security issue,” since several government agencies there use the same technology to restrict access to their facilities.
It looks as if the researchers behind the MiFare crack have done Dutch citizens a big favour by alerting them to the inappropriate use of technology — MiFare Classic was designed for mass transit, not for identity cards and access control for sensitive facilities — before some bad guys do.
It’s a genuine moral (?) dilemma. If a researcher finds a serious security error do they announce it, thus alerting the users so that they can defend themselves, or do they keep quiet about it and just inform the suppliers so that they can quickly fix it. I’m generally of the “sunshine is the best disinfectant” school, but there’s a good argument for the latter if the fix can be achieved before the bad guys might reasonably be expected to discover the same flaw. Interestingly, just such a situation has just occurred. A security flaw in the Domain Name Server (DNS) system at the heart of the Internet (actually, to a large extent it is the Internet) was dealt with this week…
Dan Kaminsky, director of penetration testing services for IOActive, found the DNS flaw earlier this year. Rather than sell the vulnerability, as some researchers have done, Kaminsky decided instead to gather the affected parties and discuss it with them first. Without disclosing any technical details, he said: “The severity is shown by the number of people who’ve gotten onboard with this patch.”
On 31 March, Kaminsky said 16 researchers gathered at Microsoft to see whether they understood what was going on, as well as what would be a fix to affect the greatest number of people worldwide, and when they would issue this fix. To address the flaw, Kaminsky said the researchers all decided to conduct a synchronised, multi-vendor release. As part of that, Microsoft in its July ‘Patch Tuesday’ released MS08-037. Cisco rolled out a patch later on Tuesday.
[From Synchronised, multi-vendor DNS patches released – ZDNet.co.uk]
So should the MiFare crackers have told NXP what the problem was, and then waited two years until all the MiFare Classic cards had been replaced by MiFare Plus cards, and then published their research? I don’t know, but I do know that NXP have started legal action to stop some of the research being published. Today, one of the researchers says that’s a bad idea (as he would).
Dutch semiconductor manufacturer NXP is making a mistake suing Radboud University Nijmegen in the Netherlands, says Karsten Nohl, a University of Virginia graduate student who worked with others to break the MIFARE cryptographic algorithm.
[From Nohl: NXP making ‘terrible decision’ : Contactless News]
I’m very interested in Karsten’s opinions, especially because we’re going to be having a little chat in Vienna at the end of September at Mobile Banking Security. As the brochure says,
In this interview style session, chairman David Birch, Consult Hyperion, will lead a more light-hearted and informal discussion with Karsten Nohl, University of Virginia, about his research team’s experiences of cracking the security of the MiFare chip.
So if there’s anything you want me to ask him…
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]
