A computer hack that makes it possible to defraud London's transport
payment system can be made public, according to a court ruling in the
Netherlands.
Researchers at the Radboud University
in Nijmegen planned to publish details in October on how to hack a chip
used in millions of electronic passes for entering buildings and public
transport systems, including London's.
The
chip is used in the city's Oyster cards that are used to pay for
journeys by pressing them against a card reader at the beginning and,
sometimes the end of journeys.
But
the chip's manufacturer, NXP based in the Netherlands, argued that it
would make it easy for criminals to break into security systems and
commit fraud on public transport systems.
Prior warning
NXP,
founded by electronics company Philips, fears substantial damage and
security risks for its clients worldwide, the court in Arnhem in the
east of the Netherlands said.
But
the court ruled that the university's right to publish was part of the
freedom of speech and that the publication of scientific research on
the chip's faults could help to take appropriate countermeasures.
"Damage
to NXP is not the result of the publication of the article, but of the
production and sale of a chip that appears to have shortcomings," the
court said.
The university had first informed the Dutch government and NXP in March that it had developed a method to crack NXP's Mifare Classic chip with widely available commercial components and at low cost, but delayed publication of details.
'Damage to customers'
Christophe
Duverne, a senior vice president at NXP, said it would take months or
even years for some users of the chip to adapt their systems, and that
the publication was therefore different from software hacks for which
manufacturers can issue a patch much more quickly.
"What we are doing is defending our customers," Duverne said.
"We
don't mind them publishing the effects of what they have discovered to
inform society, I think this is absolutely fine, but disclosing things
in detail including the algorithm ... is not going to benefit society,
it will create damage to society."
A spokesman for the university did not want to discuss consequences for the chip's users.
Transport for London, which runs London's public transport system, had no immediate comment.
Academics hack London's transport payment system