RFID Flap Silences Security Researchers
New research into security vulnerabilities in radio frequency identification cards made by technology giant HID Global has been pulled from the lineup at an East Coast security conference this week.
Researchers from Seattle-based security provider IOActive were planning to detail a technique they developed to clone the credentials stored on certain RFID cards made by HID. The company was expected to present the findings Wednesday at the Black Hat Federal security conference in Crystal City, Va. However, IOActive last Thursday was contacted by HID attorneys, who claimed the researchers were infringing on HID's intellectual property.
Chris Paget, director of research for IOActive, said the company decided to cooperate, and it worked with Black Hat organizers to have details on their research torn from the conference materials.
"We felt we had no other choice -- given pending litigation -- to have the talk pulled," Paget said in a conference call this morning.
Paget said he built the cloning device mostly using information from HID's publicly filed patents and materials that anyone could purchase off of eBay for about $20. He said his concern is that the same HID technology is being deployed to protect critical national infrastructure sites.
"The fact that this technique can be explained from the ground up in a 75 minute presentation is proof that the electronics inside probably are simpler than a Furby," Paget said (the National Security Agency several years ago banned the furry toy from its premises on account of its built-in recorder). "HID has known about this vulnerability for at least two years, probably longer."
Kathleen Carroll, director of government relations for HID, said the company contacted IOActive after reviewing a video recorded at the RSA Security conference in San Francisco earlier this month, where researchers could be seen demonstrating the cloning technique to several attendees.
Carroll said HID has "never denied the fact that you can potentially clone" one of its cards, and that the company never threatened IOActive with a lawsuit if the presentation went forward. "We simply asked them to modify the presentation so that it doesn't infringe on our intellectual property."
The incident is reminiscent of "Cisco-gate," a scandal that evolved out of another Black Hat conference in Las Vegas two years ago. Internet router maker Cisco had attempted to prevent security researcher Mike Lynn from presenting research about serious security holes in the company's hardware. Less than 48 hours before Lynn's scheduled talk, Cisco executives could be seen leading a team of helpers in tearing out copies of his slides from the conference materials. Lynn quit his job at Internet Security Systems - the Atlanta-based company where he'd done the research - in order to give his talk, producing some interesting fireworks that involved FBI investigators, lawyers and ultimately a hard drive with lots of little holes drilled into it. Cisco's reputation in the security research community took a hit from that episode, and Lynn is now employed by Cisco rival Juniper Networks.
The legal skirmish comes as the Department of Homeland Security is expected by early next week to issue regulations that would dictate the type of technology states will need to use to comply with the REAL ID Act, a measure enacted in 2005 as part of a military spending bill. The law requires states to encode driver's license information using a standardized "machine readable" technology, such as a bar code or an RFID chip. Beginning May 2008, the new identification cards will be required of anyone who wants to board a plane or enter a U.S. government building.
HID's Carroll said the company repeatedly has urged the government not to consider as an answer to RealID the proximity technology of the kind targeted by the IOActive researchers. Rather, she said, HID has urged policy makers to turn to smart card-based RFID technology that includes more robust methods for safeguarding stored information.
"When you're talking about cards that are going to contain people's personal information, that requires a very different type of technology," Carroll said.
But Nicole Ozer, civil liberties and technology policy director for the American Civil Liberties Union of Northern California, said the dispute could have a chilling effect on other researchers at a time when the need for such analysis has never been greater.
"This is some of the most important time for information to get out and people to understand the implications that these technologies have for privacy and security," Ozer said. "This is a very wide net that just got cast, and many people just got snared in it."
The comments to this entry are closed.