RFID Flap Silences Security Researchers
New research into security vulnerabilities in radio frequency identification cards made by technology giant HID Global has been pulled from the lineup at an East Coast security conference this week.
Researchers from Seattle-based security provider IOActive were planning to detail a technique they developed to clone the credentials stored on certain RFID cards made by HID. The company was expected to present the findings Wednesday at the Black Hat Federal security conference in Crystal City, Va. However, IOActive last Thursday was contacted by HID attorneys, who claimed the researchers were infringing on HID's intellectual property.
Chris Paget, director of research for IOActive, said the company decided to cooperate, and it worked with Black Hat organizers to have details on their research torn from the conference materials.
"We felt we had no other choice -- given pending litigation -- to have the talk pulled," Paget said in a conference call this morning.
Paget said he built the cloning device mostly using information from HID's publicly filed patents and materials that anyone could purchase off of eBay for about $20. He said his concern is that the same HID technology is being deployed to protect critical national infrastructure sites.
"The fact that this technique can be explained from the ground up in a 75 minute presentation is proof that the electronics inside probably are simpler than a Furby," Paget said (the National Security Agency several years ago banned the furry toy from its premises on account of its built-in recorder). "HID has known about this vulnerability for at least two years, probably longer."
Kathleen Carroll, director of government relations for HID, said the company contacted IOActive after reviewing a video recorded at the RSA Security conference in San Francisco earlier this month, where researchers could be seen demonstrating the cloning technique to several attendees.
Carroll said HID has "never denied the fact that you can potentially clone" one of its cards, and that the company never threatened IOActive with a lawsuit if the presentation went forward. "We simply asked them to modify the presentation so that it doesn't infringe on our intellectual property."
The incident is reminiscent of "Cisco-gate," a scandal that evolved out of another Black Hat conference in Las Vegas two years ago. Internet router maker Cisco had attempted to prevent security researcher Mike Lynn from presenting research about serious security holes in the company's hardware. Less than 48 hours before Lynn's scheduled talk, Cisco executives could be seen leading a team of helpers in tearing out copies of his slides from the conference materials. Lynn quit his job at Internet Security Systems - the Atlanta-based company where he'd done the research - in order to give his talk, producing some interesting fireworks that involved FBI investigators, lawyers and ultimately a hard drive with lots of little holes drilled into it. Cisco's reputation in the security research community took a hit from that episode, and Lynn is now employed by Cisco rival Juniper Networks.
The legal skirmish comes as the Department of Homeland Security is expected by early next week to issue regulations that would dictate the type of technology states will need to use to comply with the REAL ID Act, a measure enacted in 2005 as part of a military spending bill. The law requires states to encode driver's license information using a standardized "machine readable" technology, such as a bar code or an RFID chip. Beginning May 2008, the new identification cards will be required of anyone who wants to board a plane or enter a U.S. government building.
HID's Carroll said the company repeatedly has urged the government not to consider as an answer to RealID the proximity technology of the kind targeted by the IOActive researchers. Rather, she said, HID has urged policy makers to turn to smart card-based RFID technology that includes more robust methods for safeguarding stored information.
"When you're talking about cards that are going to contain people's personal information, that requires a very different type of technology," Carroll said.
But Nicole Ozer, civil liberties and technology policy director for the American Civil Liberties Union of Northern California, said the dispute could have a chilling effect on other researchers at a time when the need for such analysis has never been greater.
"This is some of the most important time for information to get out and people to understand the implications that these technologies have for privacy and security," Ozer said. "This is a very wide net that just got cast, and many people just got snared in it."
By Brian Krebs |
February 27, 2007; 4:43 PM ET
From the Bunker
,
Misc.
Previous: They'll Always Have Paris |
Next: Apple Patches QuickTime Holes
Posted by: ACLU of Northern California | February 27, 2007 8:35 PM
IOActive should know that this is not ground breaking "research". 125Khz is what IOActive has cloned which is no surprise to anyone that is involved in this industry. 13.56Mhz contactless cards have been available for some time now to add an increased level of security via encryption. The price points are finally low enough to consider this as a replacement for older/less secure 125kHz technology. It will take some time before all systems can convert away from 125khz legacy to newer 13.56 mhz technology. For larger companies, the price points to rip out and replace an entire system is a large physical access investment. This does not happen overnight. IOActive probably knows this and is just looking for some publicity by scaring the public. At the end of the day, almost everything can be cloned..even a biometric. The purpose of these technologies is to add SOME layer of security and convenience. Nothing is bullet proof. As time progresses, there is a trend towards higher security which takes time to make prevalent.
Posted by: Theresa A | February 27, 2007 10:02 PM
I'm not extremely worried about people having the ability to clone the rfid cards, that's nothing new. To get into any secure facility you also need to enter a code into a keypad. The really secure facilities require escort for anyone who isn't known.
Posted by: wiredog | February 28, 2007 8:29 AM
Thats right, lets threaten all hackers with intellectual property violation, that will scare them...
Posted by: DBH | February 28, 2007 11:32 AM
"IOActive probably knows this and is just looking for some publicity by scaring the public."
One could claim this for all security research (indeed, all research) is 'just looking for publicity'. In fact, I see that sentiment expressed fairly often.
To me, security research is only scary when companies use large legal teams coupled with dubious legal claims to silence and intimidate researchers.
The only reason this vulnerability is getting any press is because of the actions of HID.
Caroll seems quite disingenuous when she states "We simply asked them to modify the presentation so that it doesn't infringe on our intellectual property." They simply used legal thugs to prevent embarrassing information from becoming public.
I'm glad that Nader did not face such threats (or did he?) when publishing 'unsafe at any speed'. What would be the impact on automobile safety if manufacturers claimed that any discussion of safety failures violated their intellectual property?
DA
Posted by: DA | February 28, 2007 11:48 AM
You can minimize the threat of cloning or eavesdropping in any RFID enabled cards (e.g., ID cards or credit cards).
Smart Tools' RFID Shield is a protective sleeve for RFID cards. This blocks RFID while the card is in the sleeve, and lets RFID talk again when the card is removed.
To have minimal stray RFID communication, you'd keep the ID card in the sleeve until you're next to the reader, then remove the ID card only so far that the reader can read the RFID'd ID card. This keeps long distance (or 3rd party) RFID communication probability low.
Even when the ID card is RFID blocked, the front face of the ID card is still readable. This helps if you need to show your ID card to somebody.
There's more info at:
http://smarttools.home.att.net/rfshield.htm
Posted by: Byron | February 28, 2007 12:12 PM
While it is very difficult to block the older 125khz cards from communicating, Identity Stronghold products work with HID's new iClass products and the new contactless credit cards. We regularly demonstrate our products with their cards and readers at trade shows and conferences. We even manufacture a badgeholder that allows one handed activation of the card without removing it from the holder. The cards provide a valuable service. Without them many facilities would have to resort to expensive manual inspections by personel which adds human error to the mix. A combination of our products and HIDs new iClass products makes a secure solution.
More info at:
Posted by: Walt Augustinowicz | February 28, 2007 3:18 PM
Shoot ALL the messengers!
Posted by: CAPNz | March 1, 2007 11:50 AM
This technology that isn't ready to go out the door. Asking people to "sleeve" their card isn't going to work. How many people do you know that are going to know to do it? I have observed a CISSP person thump Java on in Firefox and leave it that way (I certainly won't do it). Will the sleeve fit in their card holders in their wallet? If it doesn't, then in addition to the sleeve they need new wallets that accomodate those sleeves. I can count on at least 80% of the people being blissfully unaware of the problem. Of the less than 20% of the people that will be aware of the problem, I can assure you over 80% of those will NOT take any preventitive measures.
We need to go back to the drawing board people.
Posted by: hhhobbit | March 3, 2007 3:13 AM
[url=][/url]
Posted by: ltadd | March 15, 2007 6:36 PM
[url=][/url]
Posted by: khoja | March 15, 2007 9:00 PM
The comments to this entry are closed.
Read what the full comments of Nicole Ozer, civil liberties and technology policy director for the American Civil Liberties Union of Northern California on her blog post: http://www.aclunc.org/issues/technology/bytes_and_pieces/blackhat_presenters_threatened_with_patent_suit_for_exposing_rfid_vulnerabilities.shtml