LONDON — A Dutch philanthropic foundation, NLnet, has given Euros 150,000 ($230,0000) to fund a project that will devise open-source smart card software that offers stronger protection of personal data in light of security vulnerabilities found with cards used today.

The project, expected to last two years, will be coordinated at the Radboud University in Nijmegen, Netherlands, and the code developed will be published for peer review, an open-source development model that can offer a stronger security model than undocumented, proprietary systems that dominate the smart-card market.

The project follows several instances of security vulnerabilities found in the most popular smartcards used for a variety of contactless applications, including the Mifare Classic chip from NXP Semiconductors (Eindhoven, the Netherlands).

Earlier this year, the researchers cloned the new Dutch Mifare travel card. As a result, the introduction of a Euros 1 billion transport payment system in the Netherlands has had to be postponed.

They also managed to clone a swipe access card to a public building in the Netherlands. According to some reports, the Dutch government immediately posted armed guards outside all its buildings and now plans to spend millions of euros upgrading its system.

And reports surfaced last week that the same team was able to crack and clone an Oyster card used by millions of Londoners through the scheme run by Transport for London in the U.K.

A spokesman for NXP told Times OnLine : "We are aware that the Dutch researchers have reverse engineered the algorithm and we are taking this issue very seriously. We' have informed all of our system integrators and advised them to closely assess their systems. We are talking to the guys at Radboud University and have identified various counter measures."

Last month , Heikki Huomo, general manager of the NFC sector at NXP, told EE Times Europe in an interview that the chip group is about to introduce Mifare Plus, an addition to the company's existing platforms for mobile integration that it has been offering for a decade.

The latest version will be targeted at automatic fare collection and access management applications that require relatively high security elements, and sits at about halfway between four existing offerings (Ultra Lite, Classic, DesFire and SMX).

The Classic, Plus and DesFire versions will also be offered as embedded secure elements in about 18 to 24 months. "We need time to develop these as they mean modifications at chip level, changes to the operating system and Common Criteria certification," said Huomo.

According to Michiel Leenaars, strategy director at the NLnet foundation, "With the failure of that first generation of smart cards for public transport in the Netherlands and elsewhere a huge disinvestment is looming. That cost or even the delay is just not acceptable for societies that depend heavily on this critical infrastructure".

The research at Radboud University Nijmegen will be carried out within the Digital Security Group, headed by Professor Bart Jacobs and Dr. Wouter Teepe.

The group has already revealed on numerous occasions other weaknesses in smart cards. For instance, the researchers figured out how the Mifare Classic's encryption algorithm worked, allowing them to obtain the 48-bit encryption keys the cards used.

The researchers plan to ascertain whether the proposed privacy techniques are actually suitable for an efficient, robust and secure implementation of smart cards --usable in other classes of systems such as mobile phones or pocket computers.

Related Articles:

Mobile NFC moves closer to the money

NFC Phones: Next Hacker Target

NXP tops list of vendors for NFC, contactless ICs

NXP RFID encryption cracked

'Tube' to trial mobile phone based payment scheme

In their work on the Oyster travel card, Teepe and Jacobs used a regular laptop to put credit back on the card. They could thus travel free for the day on the Underground and also managed to instigate a DDoS attack on a station security gate.

They plan to publish their research in October. "We will not release software to manipulate the cards, but people will have enough information to write the software themselves," said Jacobs.

However, according to TfL, Londoners can have total confidence in the security of their Oyster cards. "We run daily tests for cloned or fraudulent cards and any found would be stopped within 24 hours of being discovered. Therefore the most anyone could gain from a rogue card is one day's travel."

In another statement TfL added it was not a hack of the Oyster system, but a single instance of a card being manipulated.

And TranSys, the consortium responsible for delivering Oyster on behalf of TfL, noted in a statement: "Oyster has been designed with security at the forefront of its functionality. It has robust security, which operates at different points within the system. This ensures that should one security measure be breached, another will protect Oyster cards and the system as a whole."

The NLnet Foundation's Leenaars notes that by putting the development in an open context and embed privacy in the design phase --and not as an afterthought-- "we hope to lay the foundations for a next-generation smart card for public transport in the Netherlands and beyond that works and really is worth the full confidence of consumers."

Related Articles:

Mobile NFC moves closer to the money

NFC Phones: Next Hacker Target

NXP tops list of vendors for NFC, contactless ICs

NXP RFID encryption cracked

'Tube' to trial mobile phone based payment scheme