[ISN] Battle brewing over RFID chip-hacking demo

From: InfoSec News (alerts@private)
Date: Tue Feb 27 2007 - 00:23:30 PST


By Paul  F. Roberts
February 26, 2007

Secure card maker HID Corp. is objecting to a demonstration of a hacking 
tool at this week's Black Hat Federal security conference in Washington, 
D.C. that could make it easy to clone a wide range of so-called 
"proximity" door access cards.

HID has sent a letter to IOActive, a security consulting firm, accusing 
Chris Paget, IOActive's director of research and development, of 
possible patent infringement over a planned presentation, "RFID for 
beginners," on Wednesday, a move that could lead to legal action should 
the talk go forward, according to Jeff Moss, founder and director of 
Black Hat.

[ See also our Video: "Hack in action" [1]]

IOActive will hold a press conference Tuesday at 9:00AM to discuss the 
issue, according to Joshua Pennell, IOActive's CEO told InfoWorld.

Paget's talk will address widespread security issues with the 
implementation of RFID in proximity cards that are sold by HID and other 
companies and that are widely used for building access. His RFID cloner 
was on display at the recent RSA Security Conference in San Francisco, 
where he demonstrated for InfoWorld how the device could be used to 
steal access codes from HID brand proximity cards, store them, then use 
the stolen codes to fool a HID card reader.

Paget's presentation at Black Hat Federal will go deeper, providing 
schematics and source code that attendees could use to create their own 
cloning device, and discussing vulnerable implementations of RFID 
technology in a wide variety of devices, Paget told InfoWorld at RSA 
earlier this month.

"Hopefully I'll be able to give people some information about RFID and 
get some pressure on vendors to fix these lousy RFID implementations," 
Paget said. "As it stands, I can walk up to someone on the street or 
maybe stand next to them in an elevator, grab their card ID and get into 
the building," he said.

So far, Black Hat organizers have not been contacted or asked to cancel 
Paget's presentation, but lawyers representing Black Hat, which was 
purchased by CMP, are ready should that happen, Moss said.

"We're prepared for the worst," Moss said.

The incident between HID and IOActive recalls a 2005 imbroglio between 
researcher Michael Lynn and Cisco Systems over a presentation of a flaw 
in Cisco's IOS at a Black Hat event in Las Vegas.

In that incident, Cisco attorneys demanded that Lynn's presentation be 
torn out of the printed conference proceedings and that Lynn be blocked 
from giving his talk. Lynn ultimately resigned his position at Internet 
Security Systems Inc. (ISS) and gave the talk anyway, spawning lawsuits 
and even an FBI investigation of him.

Lynn now works as a researcher at Cisco competitor, Juniper Networks.

Whereas Lynn's hack of IOS was considered novel, however, the IOActive 
demonstration of RFID vulnerabilities is largely a rehash of known 
issues, intended more as an introduction, Moss said.

"They've known about this for years and years," Moss said.

Kathleen Carroll, a spokeswoman for HID's Government Relations group 
acknowledged that a letter was sent to IOActive but that it did not 
mention patent infringement. She said that the company has long been 
aware that its proximity cards are vulnerable to hacking but does not 
believe that the cards are as vulnerable as Paget suggests.

"For someone to be able to surreptitiously read a card, they'd have to 
get within two or three inches and get into the same plane as the card," 
Carroll said.

HID is also concerned that Paget's demonstration will popularize the 
vulnerabilities in its proximity cards and endanger its many customers.

"These systems are installed all over the place. It's not just HID, but 
lots of companies, and there hasn't been a problem. Now we've got a 
person who's saying let's get publicity for our company and show 
everyone how to do it, and it puts everyone at risk. Where's the sense 
of responsibility?" Carroll said.

According to Moss, HID has charged Paget with patent infringement over 
his presentation, but has not laid out any particular remedies or 
threatened actions, making it difficult to ascertain what the company 
might do -- if anything -- to block the presentation.

Security problems with implementations of RFID are well known and have 
been publicized before. In 2005, security consultant Jonathan Westhues 
detailed attacks against implanted VeriChip RFID chips. More recently, 
in January, Westhues posted detailed code and schematics for an RFID 
hacking device that can act as a reader, eavesdrop on RFID transactions 
between reader and a tag, analyze the signal received over the air, or 
impersonate a tag.

In 2005, Avi Rubin and other researchers at Johns Hopkins also sounded 
the alarm about weak security in RFID implementations by hacking 
technology from Texas Instruments that is used in late model car 
ignition systems and electronic payment systems, as well.

All that attention hasn't sparked much change at companies like HID, 
which makes fifteen different types of proximity cards in their Prox 
Products and Indala Prox Products lines, all of which are believed to be 
vulnerable to cloning, according to Paget.

"Some of these cards have been around for 15 years and were developed 
when there was no awareness of the problem," Carroll said.

Asked why HID hasn't addressed the issue in more recent proximity card 
systems, after knowledge of RFID threats became common, Carroll said 
that doing so would cause "major upheaval" among customers.

Inertia is a more likely cause, said Dan Kaminsky, director of 
penetration testing at IOActive.

"They didn't want to change to a more secure implementation because of 
backwards compatibility issues, and they had a lot of sites that use 
these cards, and HID has stuff to sell them," Kaminsky said.

Paget's hack was no feat of engineering wizardry, Kaminsky said. "It 
took a month -- and he wasn't even working on it full time."

The problem is that RFID technology, although good for inventory 
tracking as a replacement for barcodes, is not well suited for security, 
Kaminsky said.

"The technology is very convenient, but don't interpret the convenience 
as security," Kaminsky said. "At the end of the day, many companies are 
essentially using barcode technology to control access to their 
facilities. I'd posit that perhaps there are more secure technologies 
out there."

HID recommends that customers who are concerned about cloning upgrade to 
one of HID's smart card products, which do encrypt transmissions between 
card and reader and are more difficult to hack, Carroll said.

HID also recommends that companies that use the cards train their 
employees to look for suspicious activity that might indicate that 
someone is trying to clone or spoof access cards.

As for Paget's presentation, Moss expressed frustration over HID's 
actions, especially given the widespread attention to RFID security 

"It's just so frustrating from a security standpoint. Now anytime 
someone wants to talk about anything, they need a team of lawyers. Even 
when it's about commonly understood problems," Moss said.

For now, Moss said Black Hat is supporting Paget and his presentation -- 
even if last minute changes are needed to satisfy HID, Moss said.

Paul F. Roberts is a senior editor at InfoWorld.

[1] http://www.infoworld.com/video/archives/2007/02/rsa_ioactive.html

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Tue Feb 27 2007 - 00:46:38 PST