Dear reader,

Reason for this NXP Position Paper

You may have recently read about security flaws in our MIFARE Classic chip products. Reports were made about reverse engineering of these chips, about breaking keys of MIFARE Classic-enabled cards within seconds and that the algorithm of MIFARE Classic ICs will be published soon.

In the light of several publications by research groups and the recent media coverage about automated security systems based on MIFARE Classic technology, NXP wants to bring the following to your attention:

NXP welcomes feedback

NXP welcomes any feedback about any privacy and security concerns related to its chips. NXP does have no concerns about so called “ethical hackers”, who investigate our products and share with us their findings. This allows for assessment and correction of any security situation of our chips and the products and systems using our chips.

We are actively cooperating with various universities to learn and to improve our products. NXP also does not shy away from public debate or technical concerns. We believe that this will allow us to continuously enhance our products and thus contribute to society. This fits into our mission to provide world class products that contribute to optimal security and privacy.

Therefore, we encourage anybody who does have concerns about our products to come forward and to work with us in a constructive way.

NXP calls for prior verification

NXP has, however, concerns about unverified public communications regarding security and privacy of automated systems and its constituent components, and the potential harm to society as a result. This blurs public debate, harms public interests and often builds opinions on false grounds.

Anyone intending to publish any such information should in our view first verify:

1. whether the facts are accurate;
2. how the facts impact on the security or privacy of the system (in which our products are just an element) as a whole (and not just one element thereof);
3. the potentially harmful consequences to society of such information becoming publicly known.
4. the legality of their acts.

Legal concerns

Persons involved in hacking, breaking (or attempting to break) into automated systems or falsifying components of such systems should realize that:

• unauthorized possession of secret algorithms or ways to obtain secret keys can be a criminal offense;
• publishing an algorithm and secret keys used in an automated system is a criminal offense;
• publishing a secret algorithm or secret keys (or ways to obtain those) qualifies as a tort, resulting in liability for such person (and often its employer) for all resulting costs and damages.

Of course, nobody should be surprised that NXP will (pro)actively protect its legitimate interests in this respect.