[ISN] Lawsuits, patent claims silence Black Hat talk

From: InfoSec News (alerts@private)
Date: Tue Feb 27 2007 - 22:13:35 PST


By Paul  F. Roberts
February 27, 2007

A planned talk on RFID security by a security researcher has been pulled 
from this week's Black Hat Federal security conference after secure card 
maker HID claimed the talk violated the company's patent rights and 
threatened to take legal action against Chris Paget, the researcher, and 
IOActive, Paget's employer, if the talk went forward.

The company decided to cancel the talk after all-night negotiations with 
HID collapsed, said Josh Pennell, CEO of IOActive. In response, Black 
Hat organizers were forced to tear materials out of printed show 
proceedings and will instead present a discussion by a representative of 
the ACLU on the criticality of RFID security, said Jeff Moss, founder 
and director of Black Hat.

A spokeswoman for HID did not immediately respond to a request for 

The incident recalled a 2005 dispute over a presentation at Black Hat in 
Las Vegas involving Cisco Systems and Michael Lynn, a security 
researcher who worked for Internet Security Systems at the time.

IOActive's decision to abort their presentation follows days of tense 
negotiations between the two companies, after HID became alarmed about 
Paget's discussion, "RFID for beginners," which was to address 
widespread security issues with the implementation of RFID in proximity 
cards that are sold by HID and other companies. Paget's RFID cloning 
device was on display at the recent RSA Security Conference in San 
Francisco, where he demonstrated for InfoWorld how the device could be 
used to steal access codes from HID brand proximity cards, store them, 
then use the stolen codes to fool a HID card reader.

Paget's presentation at Black Hat Federal would have included schematics 
and source code that attendees could use to create their own cloning 
device, and a discussion of vulnerable implementations of RFID 
technology in a wide variety of devices, Paget told InfoWorld at RSA 
earlier this month.

HID claimed that Paget's talk would infringe upon two patents the 
company owns, one dating to 1991 and another dating to 1992. Both cover 
methods of detecting RFID signals between a transponder embedded in a 
device and an "interrogator," according to a source familiar with HID's 

Pennell and others doubted that such broad patent claims could be used 
to stifle free speech, but said that the legal pressure mounted by HID, 
a subsidiary of Swedish firm ASSA ABLOY, was too much for his small, 
Seattle-based consulting firm to withstand.

"If we say anything, HID will sue. These large companies have lots of 
resources, so they can find [legal] matter with pretty much anything," 
Pennell said, admitting disappointment at the failure to reach an 
agreement with HID.

"It's always been IOActive's intent to help people with security," he 

Chris Paget said that, unlike Lynn's sophisticated hack of Cisco's IOS 
operating system, the RFID cloning devices he built were simple devices 
concocted from around $20 in off-the-shelf parts purchased on eBay.

"This thing is simpler than a Furbie," he said, referring to the plush 
electronic play toy of years past. Moreover, the HID patents in question 
are public documents, containing all the information needed to build the 
RFID cloner, he said.

"This is not something new that we're doing. HID has known about this 
for about two years, if not longer," Paget said.

Indeed, HID marketing materials for its Smart Card technology notes that 
"by using diversified unique keys and industry standard encryption 
techniques, the risk of compromised data or duplicated (smart) cards is 
reduced," and that "these security measures are not implemented in 
proximity cards, giving contactless smart cards a significant security 

While it's possible to make secure RFID devices that can store sensitive 
information, the HID proximity cards that use it are not secure, and 
customers who use the cards need to know that, Paget said.

"Our intent was to disseminate information so people could make informed 
decisions about RFID technology they're deploying. For example, whether 
to deploy a proximity card with a secondary factor like a biometric or 
PIN [personal ID number]. But we've been prevented by HID from 
discussing that, and we believe it's detrimental to the security 
community," he said.

Nicole Ozer, technology & civil liberties policy director at the ACLU of 
Northern California, said that the work IOActive was doing was vital and 
that, while the group supports the enforcement of patent law, "free 
speech must be protected and not "trampled by the overzealous use of 
patent law."

Government agencies, including the Government Accountability Office and 
the Department of Homeland Security, have all raised concerns about RFID 
security, even as they issue guidelines for using RFID in passports and 
other documents, she said.

"It's particularly important that the government and the public have all 
the information on RFID technology. The use of RFID without the proper 
protections could jeopardize privacy, security, and public safety," she 

For Moss and Black Hat, which is now part of CMP, the decision by 
IOActive to cancel Paget's talk was a discouraging reprise of the 
controversy two years ago over Michael Lynn's talk in Las Vegas. Show 
organizers, once again ripping pages out of conference proceedings at 
the request of IOActive, and recalling CDs containing copies of Paget's 

"We're supporting IOActive," Moss said, noting that CMP had its legal 
team working on behalf of IOActive to see if a solution could be 

"I'm not sure if it was part of HID's strategy to drop a bomb at the 
last minute, but it really screwed up our conference strategy," he said.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Tue Feb 27 2007 - 22:28:32 PST