, SecurityFocus 2007-02-27
A security researcher scheduled to present information on issues with radio-frequency identification (RFID) technology at the Black Hat Federal conference this week was silenced by security technology giant HID Global, which claimed the presentation would violate its intellectual property.
The presentation would have described the technical foundations of RFID technology and demonstrate the security problems with contactless RFID, showing off a device capable of cloning HID cards, said the would-be presenter, Chris Paget, director of research and development for security firm IOActive. The device is similar to other RFID cloners and was built using $20 in parts bought on Ebay, Paget said.
"In terms of the electronics, it is not any more complicated than a Furby," Paget said. "This isn't something new we are doing. HID has known about this for at least two years."
The scuttled presentation is the second time in two years that a security researcher has had to withdraw from the Black Hat Conference under legal threat. In July 2005, networking giant Cisco attempted to quash a presentation on flaws in Cisco's IOS operating system for network hardware by threatening the presenter, researcher Mike Lynn, and his company, Internet Security Systems, with legal action. The Black Hat Conference staff ripped out the presentation's pages from the proceedings, but Lynn, of his own accord, decided to present anyway. Both Cisco and Internet Security Systems sued the researcher, but settled in a matter of days.
The legal tactics tarnished Cisco's image among security researchers. Yet, while researchers pledged to reproduce Lynn's work, no one has publicly disclosed a way to run code on Cisco's networking hardware.
The current legal wrangling is the latest controversy regarding RFID technology, which is quickly finding its way into warehouses to track product but also into driver's licenses, credit cards, and passports. Both security researchers and privacy advocates have criticized the technology as potentially dangerous. At the DEF CON Hacking Conference in August, a German researcher showed that the information stored in that country's passport could be cloned using an RFID reader.
"There is critical national infrastructure being protected by these things (RFID chips)," IOActive's Paget said. "There is a lot of misunderstanding in the industry regarding the security of these things. Our intent was to disseminate information so that people can make a knowledgeable decision about deploying RFID."
Whether the letter sent to IOActive and the subsequent discussions, which halted at 5 a.m. Tuesday with no agreement between the companies, constituted a legal threat appears to be a matter of debate. HID Global did not ask IOActive to refrain from giving the presentation, but asked that any schematics and source code belonging to the company not be distributed, Kathleen Carroll, HID's director of government relations, told SecurityFocus.
"We did not threaten IOActive with a lawsuit, if they went forward with the presentation," Carroll said. "We were in talks with them throughout the night to try and resolve this with them. We merely wanted them to modify the presentation."
Carroll, who spoke with SecurityFocus from a conference in Washington D.C. on deploying such technology for identification cards, said that IOActive's attack amounted to a theoretical threat, not a real-world risk. Two weeks ago, IOActive demonstrated that it could clone RFID cards at the RSA Security Conference in San Francisco. However, Carroll maintained that in the real world, the attack would not be subtle or, likely, feasible.
"You don't see (Paget) walking by somebody," Carroll said. "Someone handed him the card. It has to get within 2 to 3 inches of the reader and it has to be in the same plane as the reader."