Background
In December 2007, cautions were published separately by Karsten Nohl and Henryk Plotz regarding the weak encryption and other vulnerabilities of the particular security scheme as implemented on NXP's MIFARE chip set and contactless electronic card system. In March 2008, articles on the vulnerabilities appeared in newspapers and computer trade journals. A comparable independent cryptanalysis, focused on the MIFARE Classic chip, was performed at the Radboud University Nijmegen. On March 7 the scientists were able to recover a cryptographic key from the RFID card without using expensive equipment. With respect to responsible disclosure the Radboud University Nijmegen published the article six months later. NXP tried to stop the publication of the second article through a preliminary injunction. In the Netherlands, the judge ruled on July 18 that publishing this scientific article falls under the principle of freedom of expression and that in a democratic society it is of great importance that the results of scientific research can be published.
In May 2008, MIT students Zack Anderson, Russell J. Ryan, Alessandro Chiesa, and Samuel G. McVeety presented a final paper in Professor Ron Rivest's 6.857: Computer and Network Security class demonstrating weaknesses in the MBTA's automated fare collection system. The report identified four problems: the value is stored on the card and not in a secure database, the data on the card can be easily read and overwritten, there is no cryptographic signature algorithm to prevent forgeries, and there is no centralized card verification system. Anderson, Ryan, and Chiesa submitted a presentation entitled "Anatomy of a Subway Hack: Breaking Crypto RFID's and Magstripes of Ticketing Systems" to the DEF CON hacker convention which claimed to review and demonstrate how to reverse engineer the data on the magstripe card, several attacks to break the MIFARE-based Charlie Card, and brute force attacks using FPGAs.
Before the complaint was filed in August 2008, Bruce Schneier wrote on the matter that "Publication of this attack might be expensive for NXP and its customers, but it's good for security overall. Companies will only design security as good as their customers know to ask for."
Read more about this topic: Massachusetts Bay Transportation Authority V. Anderson
Famous quotes containing the word background:
“Silence is the universal refuge, the sequel to all dull discourses and all foolish acts, a balm to our every chagrin, as welcome after satiety as after disappointment; that background which the painter may not daub, be he master or bungler, and which, however awkward a figure we may have made in the foreground, remains ever our inviolable asylum, where no indignity can assail, no personality can disturb us.”
—Henry David Thoreau (1817–1862)
“In the true sense one’s native land, with its background of tradition, early impressions, reminiscences and other things dear to one, is not enough to make sensitive human beings feel at home.”
—Emma Goldman (1869–1940)
“Pilate with his question “What is truth?” is gladly trotted out these days as an advocate of Christ, so as to arouse the suspicion that everything known and knowable is an illusion and to erect the cross upon that gruesome background of the impossibility of knowledge.”
—Friedrich Nietzsche (1844–1900)