[ISN] Patently Bad Move Gags Critics

From: InfoSec News (alerts@private)
Date: Thu Mar 01 2007 - 00:02:09 PST


By Jennifer Granick
Feb, 28, 2007

Guess what? Radio frequency identification tags are insecure. But don't 
demonstrate the technology's problems at a security conference. If you 
do, HID Global, a manufacturer of access-control devices, might sue you 
for patent infringement.

That's the threat the company leveled against Chris Paget of IOActive 
Monday, forcing him to pull the presentation he planned for the Black 
Hat DC 2007 conference taking place this week in Washington.

Paget had planned to discuss and demonstrate a technique for cloning 
RFID proximity cards -- the kind that are used to control access to 
buildings and offices. He performed a similar demonstration at the RSA 
Conference recently, using a home-brew RFID reader/writer.

I haven't seen the cease-and-desist letter, but from reports, HID Global 
seems to be claiming that cloning an RFID security card violates one or 
more of the company's patents on RFID reading technology. If true, this 
would make any third-party research into the security of the company's 
products illegal, as well as any public demonstration.

I'm sure burglars, identity thieves and others who misuse insecure RFIDs 
for personal gain will be deterred by the years of messy patent 
litigation they'll face if they start hacking RFIDs. It seems to have 
scared legitimate researchers pretty well.

I'm glad we didn't worry about whether hacking RFID infringes upon 
patents back in January, because at a symposium about new technology and 
the Fourth Amendment put on by Stanford Technology Law Review students, 
University of California at Berkeley computer science student David 
Molnar demonstrated (.mp4) for the audience a cheap little device 
cobbled together from Radio Shack parts that was able to read and clone 
radio frequency tags contained in our university ID cards.

On that same panel, Nicole Ozer, technology and civil liberties policy 
director for the ACLU of Northern California, told us that most people 
carry some sort of card that someone can read through a pants pocket, 
and thereby identify, track or impersonate them.

But it makes a much bigger impression when you see it happen before your 
very eyes, which is why a company might want to block a demonstration.

HID Global reportedly pointed to two of its patents for card readers -- 
No. 5,041,826 and No. 5,166,676. The important parts of a patent are the 
claims. To infringe a patent, one must make, use, sell or offer for sale 
an invention described by the patent's claims without the patent owner's 

Paget doesn't sell his reader, which you can see him demonstrate here. 
But he did make it. So if it operates identically to the card readers 
described in HID's patents, then the company's legal threat actually 
makes some theoretical sense. That should scare everyone reading this.

Patents have been issued for the most trivial of inventions -- there are 
multiple patents like No. 7,111,753, which grants rights with regard to 
a piece of paper that goes around a hot cup to stop your hand from 
getting burned. Combine excessive grants of patent rights with a 
company's narrow corporate self-interest in maintaining an image, and we 
have a free speech and security nightmare.

Imagine if, in the 1970s, the tobacco companies had patented devices to 
measure the health effects of smoking, then threatened lawsuits against 
anyone who researched their products.

The use of patent law to prevent vulnerability discovery and discussion 
is bitter irony, because a fundamental purpose of patent law is 
disclosure: In exchange for the right to exclude others from using, 
making or selling a novel invention, an inventor agrees to make public 
all the details. Once issued, patents are a searchable public record, 
and expire after 20 years.

This isn't a case about keeping dangerous information out of the hands 
of attackers. There's nothing new about RFID vulnerabilities: Everyone 
knows about them and has for years. Nor is this a case about properly 
rewarding HID for its innovative creativity. Paget isn't building and 
selling his own, competing devices.

This is a case about misusing intellectual property laws to silence 
critics who want to inform customers and consumers alike that the RFID 
emperor has no clothes.


Jennifer Granick is executive director of the Stanford Law School Center 
for Internet and Society, and teaches the Cyberlaw Clinic.

Visit the InfoSec News Security Bookstore!

This archive was generated by hypermail 2.1.3 : Thu Mar 01 2007 - 00:10:20 PST