Details of how to exploit a flaw in the Oyster cards used on London's transport network can be published, a Dutch judge has ruled.
The court denied a request from chipmaker NXP to prevent the publication of a scientific study of the security of the firm's Mifare Classic RFID technology. Researchers will continue to pursue presenting their findings in October.
NXP had demanded a restraining order against researchers with the University of Nijmegen. The gagging order would have prevented them from discussing the results of their scientific research into the cryptography of the Mifare Classic, an RFID chip developed by NXP that is used in many countries' transport system, including London Oyster travel card.
The court ruled that freedom of speech outweighs NXP's commercial interests. Although this freedom is typically granted to individual citizens, the judge argued that it also applies to scientific research.
The judge ruled that limitations to the freedom of speech are allowed only if there is urgent and obvious threat to society. "This requires a balancing of interests," the court stated in a press release. "It should be considered that the publication of scientific studies carries a lot of weight in a democratic society, as does informing society about serious issues in the chip, because it allows for mitigating of the risks."
NXP had argued that publication of the report was 'irresponsible', because it would allow criminals to attack Mifare Classic based systems such as public transport systems in the Netherlands, the UK and the US that use the chip, as well as billions of building access passes worldwide. In a position paper, the company explains that it welcomes feedback, but considers publication of its algorithms as a crime.
The researchers with the University of Nijmegen had countered that they have allowed ample time for NXP to repair the issues. Karsten Nohl, a researcher with the University of Virginia previously has pointed out that NXP was first made aware of fundamental flaws in the chip's design in December 2007.
Also, clones have been available in the market since at least 2004. These indicate that people outside NXP have vast knowledge of the chip's inner workings, including criminals. A restraining orders preventing publication of the study therefore will only serve to withhold knowledge from the scientific community.
Nohl furthermore charges that NXP has wrongly trivialised the issues and recommends that the firm shifts focus to mitigating the problems instead of fighting security researchers.
A spokesperson for NXP said the company is disappointed. NXP said it is in favour of openness, but fears that users will have insufficient time to switch to safer alternative technologies.
As well as being used on 17 million Oyster cards, the Mifare chip is also used in Hong Kong's travel network, and is the basis of the Dutch Rijkspas smartcard.