Dutch Chipmaker Sues To Prevent Researchers From Publishing Info About Security Flaws

from the security-by-obscurity? dept

NXP Semiconductors, which was formerly Philips Semiconductor division, is suing some researchers to prevent the publication of a paper outlining the security flaws in smartcards made by NXP. These smartcards are widely used for transit systems and building locks. Of course, the fact that these cards have been insecure has actually been known for quite some time. Rather than fixing the problem, though, NXP spent plenty of effort denying any problem existed. Now that multiple researchers have demonstrated that the problem really does exist, NXP is claiming it hasn't had enough time to fix the problem, and thus is suing to prevent publication.

Of course, if NXP hadn't wasted so much time insisting there was no problem, perhaps it would have been closer to a fix. And, most importantly, those who are looking to use this vulnerability already have access to it. Publication in a journal isn't going to alert criminals -- they already know about it. What it could do, however, is get more researchers helping on a solution. But, apparently, NXP would rather pretend that if they keep the details hidden, they can pretend there is no problem.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: disclosure, lawsuits, security, smart cards
Companies: nxp semiconductors


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Josh Martin, 10 Jul 2008 @ 8:31am

    Next, Voting Machines

    Do these people make electronic voting machines, too?

    reply to this | link to this | view in chronology ]

  • identicon
    Jake, 10 Jul 2008 @ 9:18am

    I can kind of see the argument in favour of not publicising leaks like this until after you get a satisfactory official response from the company, and the YouTube video demonstrating the 'attack' looks more than a little contrived. I would however have more sympathy for NXP if they'd written back to say they were working on a solution and asking the university to hold off on publishing its results until they'd sorted it out.

    reply to this | link to this | view in chronology ]

  • identicon
    Willton, 10 Jul 2008 @ 10:36am

    What's the claim?

    With the caveat that I don't know jack about Dutch law, what is the claim here? I understand NXP would want to keep this from getting published, but I don't see what the underlying claim is to bar publication of this. Is it defamation?

    reply to this | link to this | view in chronology ]

  • identicon
    TravisO, 10 Jul 2008 @ 10:38am

    Don't play hardball when you're the one who will lose

    NXP is making a very bad move, especially if multiple separate people or groups know about the flaw. They're just asking for a writeup of the flaw to be posted anonymously on some key forums.

    Obviously the group that discovered the problem alerted the company, have them time to fix, no fix is available (the problem isn't always easy or quick) but NXP should have made a plea to hold back, but instead they're resorting to hardball tactics, and I say you fight fire with fire, release the hounds!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Jul 2008 @ 11:38am

      Re: Don't play hardball when you're the one who will lose

      zero tolerance for folks who dont take security vulnerabilities seriously. that is the only way to make them learn. times are a-changing and hardball firewall tactics are no longer acceptable.

      reply to this | link to this | view in chronology ]

  • identicon
    dkp, 10 Jul 2008 @ 12:24pm

    here we go again

    I have a problem with companies spending time and money on fighting in this case the publication of information about flaws instead of fixing the problem this also goes for other things such as ip and others

    reply to this | link to this | view in chronology ]

  • security is too important ...

    It seems to me that any problem that compromises security (which is incredibly important in this day and age, more than ever before) and affects others should be reported as a warning immediately, even before a solution has been reached. People do need to know what they’re using, and when it goes “bad,” they need to know how to adjust their behavior with it accordingly and protect sensitive and important information. Even Microsoft, who has been pretty seriously hurt (though not necessarily financially!) by Vista’s many initial failures and problems admitted to their mistakes and provided quick solutions or at least work-arounds and adjustments.

    reply to this | link to this | view in chronology ]

  • identicon
    Merijn, 11 Jul 2008 @ 7:58am

    after it's broken, it keeps that way

    As far as I know, Professor Bart Jacobs and his crew have already had a few free rides to prove that the system is broken. Trying to silence a university professor won't fix your problem. Also I do not know the laws of my country, the Netherlands, well enough to guess what they try to use as a legal means to their cause in the attempt to silence their neighbor. Radboud university and NXP are located in the same city.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.