http://www.wired.com/news/columns/0,72819-0.html By Jennifer Granick Feb, 28, 2007 Guess what? Radio frequency identification tags are insecure. But don't demonstrate the technology's problems at a security conference. If you do, HID Global, a manufacturer of access-control devices, might sue you for patent infringement. That's the threat the company leveled against Chris Paget of IOActive Monday, forcing him to pull the presentation he planned for the Black Hat DC 2007 conference taking place this week in Washington. Paget had planned to discuss and demonstrate a technique for cloning RFID proximity cards -- the kind that are used to control access to buildings and offices. He performed a similar demonstration at the RSA Conference recently, using a home-brew RFID reader/writer. I haven't seen the cease-and-desist letter, but from reports, HID Global seems to be claiming that cloning an RFID security card violates one or more of the company's patents on RFID reading technology. If true, this would make any third-party research into the security of the company's products illegal, as well as any public demonstration. I'm sure burglars, identity thieves and others who misuse insecure RFIDs for personal gain will be deterred by the years of messy patent litigation they'll face if they start hacking RFIDs. It seems to have scared legitimate researchers pretty well. I'm glad we didn't worry about whether hacking RFID infringes upon patents back in January, because at a symposium about new technology and the Fourth Amendment put on by Stanford Technology Law Review students, University of California at Berkeley computer science student David Molnar demonstrated (.mp4) for the audience a cheap little device cobbled together from Radio Shack parts that was able to read and clone radio frequency tags contained in our university ID cards. On that same panel, Nicole Ozer, technology and civil liberties policy director for the ACLU of Northern California, told us that most people carry some sort of card that someone can read through a pants pocket, and thereby identify, track or impersonate them. But it makes a much bigger impression when you see it happen before your very eyes, which is why a company might want to block a demonstration. HID Global reportedly pointed to two of its patents for card readers -- No. 5,041,826 and No. 5,166,676. The important parts of a patent are the claims. To infringe a patent, one must make, use, sell or offer for sale an invention described by the patent's claims without the patent owner's authorization. Paget doesn't sell his reader, which you can see him demonstrate here. But he did make it. So if it operates identically to the card readers described in HID's patents, then the company's legal threat actually makes some theoretical sense. That should scare everyone reading this. Patents have been issued for the most trivial of inventions -- there are multiple patents like No. 7,111,753, which grants rights with regard to a piece of paper that goes around a hot cup to stop your hand from getting burned. Combine excessive grants of patent rights with a company's narrow corporate self-interest in maintaining an image, and we have a free speech and security nightmare. Imagine if, in the 1970s, the tobacco companies had patented devices to measure the health effects of smoking, then threatened lawsuits against anyone who researched their products. The use of patent law to prevent vulnerability discovery and discussion is bitter irony, because a fundamental purpose of patent law is disclosure: In exchange for the right to exclude others from using, making or selling a novel invention, an inventor agrees to make public all the details. Once issued, patents are a searchable public record, and expire after 20 years. This isn't a case about keeping dangerous information out of the hands of attackers. There's nothing new about RFID vulnerabilities: Everyone knows about them and has for years. Nor is this a case about properly rewarding HID for its innovative creativity. Paget isn't building and selling his own, competing devices. This is a case about misusing intellectual property laws to silence critics who want to inform customers and consumers alike that the RFID emperor has no clothes. -==- Jennifer Granick is executive director of the Stanford Law School Center for Internet and Society, and teaches the Cyberlaw Clinic. __________________________________________ Visit the InfoSec News Security Bookstore! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Mar 01 2007 - 00:10:20 PST