Court rules university can publish Oyster crack

A university can publish details of research detailing the cryptographic cracking of the Oyster travel smartcard, a Dutch court has ruled.

The court in Arnheim found on Friday that Radboud University could publish the paper. Chip company NXP Semiconductors, which manufacturers the Mifare Classic chips used in the Oyster card, had tried to halt the publication of the paper through the court. The Oyster card is widely used on London Underground.

A spokesperson for Radboud University told ZDNet.co.uk said the result was "important for freedom of expression".

"Being allowed to publish is fantastic for us," said the spokesperson. "The judge ruled that, in a democratic society, it's of great importance that scientific research can be published."

The judge found that, according to Article 4 of the Principle of the Freedom of Expression enshrined in Dutch law, the paper should be published. Radboud University said it had already delayed publication of the paper until October to give those involved, including NXP, the opportunity to "take the necessary steps".

NXP warned all suppliers and organisations using Mifare Classic that they may need to conduct urgent security reviews. "Based on today's decision, affected parties, such as system integrators and operators of infrastructures using Mifare Classic cards, may want to urgently review their systems," the company said.

Christophe Duverne, NXP's general manager of identification, told ZDNet.co.uk that the paper could give hackers the means to successfully attack systems using Mifare Classic, including the Transport for London system.

"Publishing the means [to attack] is not responsible behaviour," said Duverne. "It would be easy to portray us as the bad guys, trying to keep everything to ourselves, but the fact that we asked to delay publication is about trying to protect the interests of our customers."

Duverne said that delaying until October would not give customers enough time to change their systems. "You have to understand there is a level of stickiness in infrastructures and solutions," he said. He admitted, however, that NXP's legal action against Radboud University may have brought the flaw to potential hackers' attention.

"I wouldn't say security through obscurity is bad practice, and, yes, of course, [the court case] could create an incentive for hackers to have a go at it," said Duverne. "But this is not about keeping obscure, this is about responsible public behaviour."

The paper is understood to give details of how university researchers cracked the Oyster card, rode on the London Underground for free, and jammed Underground gates, closed through a denial-of-service attack.

Transport for London, which is in charge of implementing the Oyster smartcard, was unavailable for comment at the time of writing.