This triggered reactions from at least two sides:
- NXP is reportedly suing the researchers (cf. Smart Insights #08-28),
- Dutch secretary of state Tineke Huizinga has urged the university not to publish any secrets that may lead to abuse.
This has already had several consequences: Dutch government buildings, which were protected by a Mifare Classic based physical access control system, are now guarded by people checking credentials of anyone willing to enter; the Dutch global transport project OV-Chipkaart is postponed; Transports for London has issued several statements to reassure their users; etc.
Karsten Nohl, a University of Virginia researcher who earlier broke Mifare using hardware means commented: “it’s a terrible decision, there is no legal case to be made. This was reverse engineered legally without any help from NXP.”
At the same time Transports for London has been the victim of a mysterious failure that erased the Oyster cards of 40 to 60,000 people on a Sunday morning (cf. Transports section). It is too early to conclude whether the origin of the problem is related to Mifare hack or not.
Suing hackers, especially when they are well known University scientists may not turn out to be a good idea. In this case, researchers sent their paper to NXP for review beforehand. A trial may prevent them from publishing their paper later this year, but, at the same time it will attract even more people with "white hats", "grey hats", or "black hats" (as said in cryptanalysis jargon), and not all of them will be as respectful and as amicable as the Radboud University researchers. So far the issue is limited: by attracting more hackers it will spread out wider, and future hackers may not be so nice to NXP.
Suing hackers and crackers gives them publicity. The way most industrialists have dealt with security issues in the past was by negotiating with hackers and crackers, ordering their consulting services, especially regarding their expertise in security and this made everyone happy. At the same time, industrialists were working to solve the issue, announce new products, and reassure their customers and systems integrators in private meetings. Making the story public will only attract more interest, and, in the long run, be negative to NXP and the whole industry's image.