pageok
pageok
pageok
Dutch Court Denies Chipmaker's Request to Enjoin Academics' Publication of Security Flaws:

From The Industry Standard, apropos the story noted here July 11:

A Dutch court has denied a request from chipmaker NXP to prevent the publication of a scientific study of the security of the firm's Mifare Classic RFID technology....

The court ruled that freedom of speech outweighs NXP's commercial interests.... The judge ruled that limitations to the freedom of speech are allowed only if there is urgent and obvious threat to society. "This requires a balancing of interests," the court stated in a press release. "It should be considered that the publication of scientific studies carries a lot of weight in a democratic society, as does informing society about serious issues in the chip, because it allows for mitigating of the risks."

The chipmaker has put out a paper supporting its position; an excerpt:
NXP welcomes any feedback about any privacy and security concerns related to its chips. NXP does have no concerns about so called "ethical hackers", who investigate our products and share with us their findings. This allows for assessment and correction of any security situation of our chips and the products and systems using our chips....

NXP has, however, concerns about unverified public communications regarding security and privacy of automated systems and its constituent components, and the potential harm to society as a result. This blurs public debate, harms public interests and often builds opinions on false grounds.

Anyone intending to publish any such information should in our view first verify:

1. whether the facts are accurate;
2. how the facts impact on the security or privacy of the system (in which our products are just an element) as a whole (and not just one element thereof);
3. the potentially harmful consequences to society of such information becoming publicly known.
4. the legality of their acts.

Legal concerns

Persons involved in hacking, breaking (or attempting to break) into automated systems or falsifying components of such systems should realize that:

* unauthorized possession of secret algorithms or ways to obtain secret keys can be a criminal offense;
* publishing an algorithm and secret keys used in an automated system is a criminal offense;
* publishing a secret algorithm or secret keys (or ways to obtain those) qualifies as a tort, resulting in liability for such person (and often its employer) for all resulting costs and damages.

The Standard article reports, by the way, that "The researchers with the University of Nijmegen had countered that they have allowed ample time for NXP to repair the issues. Karsten Nohl, a researcher with the University of Virginia previously has pointed out that NXP was first made aware of fundamental flaws in the chip's design in December 2007.... Nohl furthermore charges that NXP has wrongly trivialized the issues and recommends that the firm shifts focus to mitigating the problems instead of fighting security researchers."

Thanks to Martin Holterman for the pointer.

Related Posts (on one page):

  1. Dutch Court Denies Chipmaker's Request to Enjoin Academics' Publication of Security Flaws:
  2. "Chipmaker Sues To Silence Security Researchers,"
LTEC (mail) (www):
If "unauthorized possession of secret algorithms or ways to obtain secret keys can be a criminal offense", then how could one legally do the research necessary to provide NXP with the "feedback about any privacy and security concerns" that it so welcomes?
7.20.2008 7:11pm
Fub:
The last graf in The Standard's article reveals how NXP's response from the beginning was incoherent at best:
A spokesperson for NXP said the company is disappointed. NXP said it is in favour of openness, but fears that users will have insufficient time to switch to safer alternative technologies.
If NXP had taken appropriate steps, at least advising their customers when researchers revealed the vulnerability, then they would have much less reason to worry about their customers' security.
After their dilatory tactic of trying to enjoin the researchers, expressing concern about customers having "insufficient time to switch to safer alternative technologies" fails the giggle test.
7.20.2008 7:14pm
Bill Poser (mail) (www):
Another sign of the disingenuousness of NXP's response is the fact that it begins with the point that researchers should verify the accuracy of the facts, yet there is not the slightest hint that the Nijmegen researchers are wrong about the security flaw or that they did not carefully verify their claims.
7.20.2008 8:56pm
Curt Fischer:
Also, what are we to make of NXP's odd juxtaposition of their claim that they "have no concerns about so called 'ethical hackers', who investigate our products and share with us their findings" with the "legal concerns" they listed?

I guess the legal issues are not "concerning" unless they like you?
7.20.2008 9:02pm
Curt Fischer:

I guess the legal issues are not "concerning" unless they like you?


...err, make that "if they like you".
7.20.2008 9:03pm
Andy Freeman (mail):
NXP makes three claims about the law. In which jurisdictions are all three of those claims true?

I think that making a patently false statement about "the law" should have a negative legal consequence.
7.20.2008 10:03pm
NicholasV:
Karsten Nohl, a researcher with the University of Virginia previously has pointed out that NXP was first made aware of fundamental flaws in the chip's design in December 2007...

That's about six months ago. I think there is some fundamental misunderstanding about how long it takes to go from the design stage to delivering chips to the customers. If they started on a redesign immediately they might be at the stage of testing samples now. Chips produced in the meantime and sold on to customers would still have any flaws.

This isn't to say that they aren't dragging their feet on this - maybe they are - but you can't snap your fingers and start producing chips of a different design overnight. It takes a while just to do the redesign, and go through all the testing that's required when a single mistake can cost millions of dollars and set you back months.
7.21.2008 12:37am
Wahoowa:
Yes, but perhaps someone out there--a competitor--is making a better/safer chip already.
7.21.2008 1:33am
Bill Poser (mail) (www):

While it is true that new chips can't be made instantly, it is often possible to find a workaround, in software, firmware, or sometimes even in hardware. In any case, people relying on the chips can be notified of the flaw so that they won't rely on them for security.
7.21.2008 2:14am
David Schwartz (mail):
The fact is, long-term, the biggest benefit will accrue if people who use these chips suffer significantly. If researches give people enough warning to not suffer for choosing an insecure product, they will have no incentive to pick a secure product next time.

It is very expensive and time-consuming to put out a product that you can demonstrate is very, very secure. But there is only a competitive advantage to such products if the market values secure products and punishes insecure ones.

The small pain that will be caused by a quick disclosure today will more than be paid back by the lack of a succession of repeat occurrences. Next time, it may be the bad guys who find the vulnerability first.

Frankly, I am shocked by the succession of security vulnerabilities in commercial products in cases where secure algorithms were well-known and well-understood.

Stupid should hurt.
7.21.2008 2:37am
martinned (mail) (www):
@Andy Freeman: One of these legal points was addressed in the court's ruling. Whatever protection such "algorithms and secret keys" might have in tort law, generally, they are not protected by copyright law, as NXP claimed.

Also, for the purposes of this expedited procedure, they granted that the researcher's claims were true, though they may not be so generous if there is ever a full procedure. (Which is unlikely, BTW.)
7.21.2008 7:17am
Gregory Conen (mail):
Saying "6 monthes is not long enough to design a new system" is correct, but missing a potentially important point. The cards weren't even released when this vulnerability was first revealed to NXP. That might have been a sign that the technology wasn't ready for release.
7.21.2008 10:54am
one of many:
aying "6 monthes is not long enough to design a new system" is correct, but missing a potentially important point. The cards weren't even released when this vulnerability was first revealed to NXP. That might have been a sign that the technology wasn't ready for release.An argument, but we are talking about what is possible now (breaking the encryption) and what was possible 10+ years ago when the technology was released. Actually NXP has at least 4 generations of new systems to replace the no longer secure one (including, since 2004, a 128-bit one which can directly replace this one without major system upgrades). The problem isn't with NXP creating a secure system, it is with NXPs customers deciding not to pay more for better encryption. The problem is not 6 mos to design a new system, it's 6 mos to get the funding for and placement of a new set of chips to the end-users, most of the companies/governments which use these chips are still in the proposal for bids stage, the wheels of bureaucracy grind slowly but if money were no object NXP could have completely replaced the chips in 2 mos (and to preempt, yes there may have been some delay in increasing production of the 128-bit chip but they are in production now and NXPs pretty good at producing lots of chips fast).

The interesting point about this suit is that NXP was not suing on the basis of direct harms to itself, but effectively was attempting to stop publication on behalf of its customers. There is some pretty nifty legal theory here and some shifty reasoning on NXP's part, but focusing on the technical issues misses the really fun parts.
7.21.2008 1:46pm