Credit Card Companies Gagged Mythbusters Over RFID Vulnerabilities?

from the security-through-obscurity...-and-legal-threats dept

It's amazing to watch just how sensitive some companies are concerning the rather well-known security vulnerabilities associated with RFID tags and smart cards. We've seen time and time again, companies try to suppress such research from getting published -- and every single time, those efforts to suppress the publication of the vulnerabilities backfires, often badly.

But that never seems to stop companies from flexing their legal muscles.

The latest example comes to use via the Consumerist blog, who dug out a clip of Adam Savage from the TV show Mythbusters talking about what happened when the show tried to do an episode on RFID vulnerabilities:

Texas Instruments comes on along with chief legal counsel for American Express, Visa, Discover, and everybody else... They were way, way outgunned and they absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it's on Discovery's radar and they won't let us go near it.

Check out the video of him saying this (while admitting he's probably not supposed to talk about it) here: Perhaps it's an exaggeration by Savage, but do the credit card companies really think that security through obscurity (with a healthy dose of legal threats) is the best way to protect their customers?

43 Comments | Leave a Comment..

Dutch Court Allows Research On Smart Card Vulnerabilities To Be Published

from the good-job dept

We recently wrote about how NXP Semiconductor (formerly Philips Semiconductor) was suing to try to stop the publication of some research that showed some vulnerabilities in its chips used in smart cards around the world. The vulnerability itself was already widely known (though NXP denied it for a while). The good news is that a judge has denied the request, and the research will be published as originally planned. The bad news is that NXP wasted quite a lot of time denying there was a problem instead of fixing the problem -- and with this latest misguided legal stunt, made sure a lot more people knew about it.

1 Comments | Leave a Comment..

Dutch Chipmaker Sues To Prevent Researchers From Publishing Info About Security Flaws

from the security-by-obscurity? dept

NXP Semiconductors, which was formerly Philips Semiconductor division, is suing some researchers to prevent the publication of a paper outlining the security flaws in smartcards made by NXP. These smartcards are widely used for transit systems and building locks. Of course, the fact that these cards have been insecure has actually been known for quite some time. Rather than fixing the problem, though, NXP spent plenty of effort denying any problem existed. Now that multiple researchers have demonstrated that the problem really does exist, NXP is claiming it hasn't had enough time to fix the problem, and thus is suing to prevent publication.

Of course, if NXP hadn't wasted so much time insisting there was no problem, perhaps it would have been closer to a fix. And, most importantly, those who are looking to use this vulnerability already have access to it. Publication in a journal isn't going to alert criminals -- they already know about it. What it could do, however, is get more researchers helping on a solution. But, apparently, NXP would rather pretend that if they keep the details hidden, they can pretend there is no problem.

8 Comments | Leave a Comment..

Appeals Court Says That Just Buying A Smart Card Reader Doesn't Mean You Pirated DirecTV Signals

from the well-that's-good dept

While we often talk about the extortion-like tactics of the RIAA in going after file sharers, people sometimes forget that it was DirecTV that really pioneered this practice on the corporate level. Well before the RIAA started suing music fans, DirecTV sued a company that had been selling a device that would let people hack smart cards, and as part of the suit, DirecTV ended up with the company's customer list. They then set out to sue most of the folks on that list, without any evidence that those customers actually used the equipment to make smart cards for unauthorized access to DirecTV signals. The lawsuits snagged innocent folks who had plenty of legitimate reasons for wanting to program smart cards -- but DirecTV found the process so profitable that it pushed its "anti-piracy" team to do many questionable things in trying to convince people to settle -- even if they were completely innocent. Eventually, the company was accused of extortion and was told to stop threatening people if it didn't have any evidence.

However, there were still some people who were found guilty of unauthorized access, even though DirecTV's only evidence was that they had purchased these smart card devices. Reader jedipunk lets us know that an Appeals Court has now tossed out one such decision, noting that simply possessing the device is not evidence of unauthorized access. The court notes that the defendants can still be found guilty if there's proof that they were accessing DirecTV signals with unauthorized equipment -- but simply possessing the smart card hacking device is not illegal and is not proof that they were doing anything illegal with it. Slowly, but surely, it appears that judges are picking up the details on some of these tech cases.

12 Comments | Leave a Comment..