The Kyodo News agency published a report on August 28 claiming that some types of FeliCa chips shipped before 2017 are vulnerable and may be tampered with for certain operations. Kyodo was coy about mentioning the report was from Information-technology Promotion Agency, Japan (IPA) in accordance with their “Information Security Early Warning Partnership Guideline”. Whatever that means but Kyodo’s questionable reporting broke IPA security and disclosure guidelines to get a scoop that pushed a big scary security narrative with very little information to back up their claims.
Sony quickly released a statement:
Regarding Vulnerability Report on Some Models of FeliCa IC Chips Shipped Before 2017
We have confirmed that some models of IC chips of Sony’s contactless IC card technology “FeliCa”, which were shipped prior to 2017, could potentially have data read and tampered through specific operations that were identified in an external report. The report was shared by the Information-technology Promotion Agency, Japan (IPA) in accordance with “Information Security Early Warning Partnership Guideline”.
The security of services utilizing FeliCa is built not only on the security of the FeliCa IC chips themselves but also on the overall system for each service. Regarding this matter, we have been cooperating with some service providers and public institutions within the framework of the aforementioned partnership. All stakeholders are encouraged to continue using the services without concern, based on information from relevant providers.
August 28, 2025
Sony Corporation
This was quickly followed by statements from all major FeliCa partnership members, JR East, Docomo iD, JCB QUICPay, JR West, etc., all saying the same thing: security is the FeliCa system, not just a FeliCa card chip, FeliCa based products and services are safe to use, we will be working with Sony to further increase security regarding the issue.
They left out one important bit: this potential vulnerability of some FeliCa chips is exclusively limited to physical FeliCa cards, it has nothing to do with Mobile FeliCa devices.
I suspect this issue has been known by some for a while and only works in lab settings, not the real world. In pre-Covid days I ran across a few scattered anonymous online claims of people, security nerds, hacking Suica cards. When I asked FeliCa Dude about the reliability of such claims he said what the FeliCa partners are saying now: even if the card chip keys are somehow compromised (difficult to do), it’s easy to identify and block any compromised cards on the FeliCa system backend.
Some people have pointed out that off-line products using FeliCa technology like home smart locks might be at risk, but home smart locks using Suica are a recent product, long past the pre-2017 chip manufacture line and it’s easy to swap out old cards. In reality the most likely risk profile would be older company ID badges/cards, it should be easy for companies to identify those and swap them out. And transit operators usually follow a 5 or 7 year gate/reader infrastructure replacement cycle, they can easily block list old transit cards that need replacing. For reliable reporting on this issue follow IT journalist Yasuhiro Koyama’s posts on X. He immediately smelled a rat when the Kyodo piece hit and published an article on September 8 blasting the irresponsible journalism of Kyodo News Agency.
A vulnerability was discovered in Sony’s contactless IC technology, FeliCa. The issue affects certain IC chips shipped before 2017, potentially allowing data reading or tampering. However, since FeliCa is integrated into various services like payment systems, the impact varies depending on each service’s security level.
Following Sony’s announcement, many companies using FeliCa-based services stated that their systems remain safe and reliable. The real issue, however, lies not with Sony but with certain media outlets that disclosed the vulnerability. Was this reporting responsible journalism?
The vulnerability disclosure system, in place for over 20 years, was triggered by a Kyodo News report based on “information from sources,” likely the vulnerability discoverer. The vulnerability was reported to Sony via the Information-technology Promotion Agency (IPA) in late July, following the “Information Security Early Warning Partnership Guidelines.” Sony confirmed the vulnerability and began addressing it when Kyodo News published its report. The guidelines, established in July 2004 under the Ministry of Economy, Trade and Industry’s regulations, outline a vulnerability reporting system. Discoverers report vulnerabilities to the IPA, which verifies them. JPCERT Coordination Center (JPCERT/CC) coordinates with businesses to set a disclosure date, typically 45 days after initial contact, and the information is publicly released via a portal.
Supported by industry groups like JEITA, JISA, JPSA, and JNSA, this system has functioned for over 20 years. It prevents premature disclosure that could lead to exploitation while ensuring vulnerabilities reported by individuals to large companies are addressed. The guidelines, revised 13 times (latest in June 2024), require discoverers to refrain from disclosing information to third parties without justification and to consult IPA if disclosure is necessary. Developers must investigate, verify, and report vulnerabilities to JPCERT/CC, scheduling disclosure within about 45 days.
In this case, Kyodo News, a third party, disclosed the vulnerability after it was reported to IPA, despite guidelines discouraging such actions. Sony was verifying the issue and consulting with related businesses, as evidenced by nearly 20 companies (e.g., JR East, Rakuten Edy) issuing statements shortly after the August 28 report. Less than 45 days had passed since the late July report, and Sony’s response was not unusually delayed. The guidelines allow extensions for complex cases, and there’s no evidence Sony was negligent.
Kyodo News obtained the information from the discoverer, who also shared it with a security firm for verification, leading to further disclosure. While discoverers sometimes publicize vulnerabilities themselves, reporting to IPA and then leaking to media is unusual. Kyodo News contacted Sony, which acknowledged the issue but was forced to make a partial disclosure earlier than planned, avoiding detailed information to prevent zero-day attacks. Kyodo News articles exaggerated the issue, citing tampered FeliCa cards and warning of “serious consequences” and “disruption.”
Security expert Hiroshi Tokumaru notes that publicizing zero-day vulnerabilities is justified only when developers ignore them or when countermeasures are provided to ensure user safety. Here, no countermeasures were shared, and the disclosure likely increased user anxiety without enhancing safety. Sony has not publicized countermeasures, as the guidelines require coordinated disclosure, which was incomplete. Premature disclosure risks exploitation if attacks are feasible or undermines the reported severity if attacks are difficult, as Kyodo News’s alarmist tone suggested. Experts like Nobuhiro Tsuji argue that media should avoid fearmongering or incomplete reporting without countermeasures. Media disclosures are warranted only when developers hide vulnerabilities, ignore reports, or when attacks are widespread and urgent disclosure reduces harm.
Tsuji suggests government-media collaboration to inform the public appropriately, avoiding sensationalism. Sony and IPA reported no attacks at the time, and Kyodo News’s disclosure offered little information. IPA emphasizes that ad-hoc disclosures should be avoided, and while the system isn’t undermined by one case, media must respect guidelines. Kyodo News likely knew the guidelines but proceeded, raising questions about their motives, as the article didn’t claim Sony’s response was inadequate.The real “serious consequence” may be the reporting itself. Media should prioritize responsible, accurate information sharing over scoops, ensuring disclosures align with established protocols to protect users and maintain trust.
What’s wrong with the FeliCa vulnerability reporting?
And now it seems that the ‘security expert’ quoted in the Kyodo piece was the leaker who broke IPA security reporting protocols.
I was once friends with the CEO of Unknown Technologies, who, instead of “properly” reporting a FeliCa vulnerability, leaked it to Kyodo News to satisfy his need for self-aggrandizement. His stance was that as long as he could do what he wanted, he didn’t care if it was legally gray, and if warned, he’d just cut off the relationship. For example, he tried to achieve high-speed communication by using a different terminal, not the provided one, for PON (Passive Optical Network), a fiber-optic technology. This violated regulations and could potentially break laws, and if it caused issues, all terminals connected to the PON would lose connectivity. When I warned him to stop, he ended our friendship. By the way, he claimed to be the employer of @cheenanet, but I’m not sure if that’s true.
X post
An egocentric who doesn’t care about blowing off business relationships, thumbing nose at protocols and boundaries while skirting laws, whose (most likely paper) company Unknown Technologies is capitalized at just ¥10,000. I wouldn’t be surprised if it turns out he shorted Sony stock to make money from his leak and the resulting Kyodo News report brouhaha, or if the Kyodo News reporter was in on it too. Nikkei and Kyodo reporters have been caught doing this kind of insider trading before. An all around pathetic mess, and highly unprofessional and unethical.
And as for the reputation and reliability of Kyodo News reportage, let’s remember some of their other ‘exclusives’ like the 2019 ‘JR East is developing and will announce touchless walkthrough gates in 2020’ dud. An embarrassingly fake report long gone from the internet, but not forgotten.
UPDATE 2025-09-12
Koyama san reports: “Honestly, I didn’t expect various parties to react this much (to his published article), but it feels like Kyodo News might be unnecessarily (and pointlessly) fanning the flames even more. I did use the word “formalized” in my interview with the IPA, but I have doubts about making the system stricter. Still, they probably aren’t thinking about that kind of thing, are they?.”
You must be logged in to post a comment.