(Adds security expert comment)
By Niclas Mika
AMSTERDAM, July 18 (Reuters) - A Dutch university can publish details on how to hack a chip made by NXP [NXP.UL] which is used in millions of electronic passes for entering buildings and public transport systems including London’s, a court ruled.
Dutch chipmaker NXP had it would make it easy for criminals to break into security systems and commit fraud in public transport if the Radboud University in Nijmegen were to publish details in October as planned.
NXP, founded by Philips (PHG.AS), fears substantial damage and security risks for its clients worldwide, the court in Arnhem in the east of the Netherlands said.
But the court ruled on Friday that the university’s right to publish was part of freedom of speech and that the publication of scientific research on the chip’s faults could help to take appropriate countermeasures.
“Damage to NXP is not the result of the publication of the article but of the production and sale of a chip that appears to have shortcomings,” the court said. The university had first informed the Dutch government and NXP in March that it had developed a method to crack NXP’s “Mifare Classic” chip with widely available commercial components and at low cost, but delayed publication of details.
Christophe Duverne, a senior vice president at NXP, said it would take months or even years for some users of the chip to adapt their systems, and that the publication was thus different from software hacks for which manufacturers can issue a patch much more quickly.
“What we are doing is defending our customers,” Duverne said.
“We don’t mind them publishing the effects of what they have discovered to inform society, I think this is absolutely fine, but disclosing things in detail including the algorithm ... is not going to benefit society, it will create damage to society.”
Bruce Schneier, a security expert and Chief Security Technology Officer of BT (BT.L), told Reuters that researchers were in principle right to publish their findings because that was the only way to force vendors to fix problems quickly.
“As bad as the damage is from publishing — and there probably will be some — the damage is much, much worse by not disclosing,” he said.
“There’s a conceit in the lawsuit that only the researchers know about it, and if we could just keep them quiet, nobody else will now. ... That’s a very dangerous assumption. Assume organised crime knows about this, assume they will be selling it anyway.” (Additional reporting by Georgina Prodhan in London; Editing by Jason Neely and Erica Billingham)