[ISN] Black Hat dispute stirs RFID security awareness

From: InfoSec News (alerts@private)
Date: Thu Mar 01 2007 - 00:05:10 PST


By Paul F. Roberts
February 28, 2007

The widely reported dispute between security firm IOActive and secure 
card maker HID has raised awareness about the risks associated with RFID 
proximity cards and may prompt DHS warnings to government agencies about 
use of the technology.

Representatives from IOActive, Black Hat, the ACLU, and the U.S. 
Department of Homeland Security laid bare the vulnerabilities inherent 
in the popular proximity cards and debated with a HID representative at 
a panel discussion about RFID vulnerabilities that was part of the Black 
Hat Federal security conference. While the discussion did little to 
resolve the disagreements over the cancellation of a planned RFID 
hacking session, the publicity around the incident may prompt greater 
scrutiny of RFID security in the public and private spheres, panel 
members agreed.

The panel discussion at Black Hat followed an abbreviated version of a 
presentation on RFID security by Chris Paget, director of research and 
development at IOActive.

IOActive said on Tuesday that it was pulling its presentation under 
threat of legal action from HID, which claimed that Paget's discussion 
of methods for creating an RFID cloning device would violate two HID 
patents on RFID technology.

After discussing RFID technology at a high level and possible security 
concerns arising from RFID, Paget informed the audience that he couldn't 
discuss those vulnerabilities further. Instead, he presented a number of 
slides that excerpted a letter from HID's attorneys and that seemed to 
suggest that HID had demanded IOActive not present any information at 
Black Hat. The slides ran contrary to an HID statement late Tuesday that 
said the company never demanded that Paget cancel his talk.

"HID Global did not threaten IOActive or Chris Paget, its Director of 
Research and Development, to stop its presentation at the Black Hat 
event being held in Washington, DC on Wednesday, February 28, 2007. HID 
Global, acting in the best interests of its customers worldwide, simply 
informed IOActive and its management of the patents that currently 
protect HID Global intellectual property," the e-mail statement read.

Mike Davis, director of intellectual property at HID, defended that 
position and the company's efforts to suppress the presentation of 
schematics and source code concerning its RFID proximity cards. In 
sometimes testy exchanges with Paget and Dan Kaminsky of IOActive and in 
comments to InfoWorld after the panel, Davis said that his company was 
"ambushed" by IOActive and never threatened to sue Paget or IOActive.

"We never intended to sue IOActive," Davis said, noting that the company 
only became aware of the issue on the 14th after Paget contacted them in 
an e-mail but took a week to formulate a response.

Differences between the free-wheeling IT security community and a more 
closed physical security industry may be partially to blame, according 
to Joe Grand, a security researcher at Grand Idea Studio.

"Hardware companies are generally not involved in the security process, 
so they don't know anything about disclosure. So their response is, 
'Let's throw down the hammer,'" he said.

While the specifics of the dispute between HID and IOActive are shrouded 
by legal maneuvers, there was general agreement that insecure RFID 
deployments are a big problem that needs to be addressed soon.

"RFID is not a new technology. It's been around for decades, but its 
going mainstream," Grand said.

In a wide-ranging panel discussion that followed Paget, Nicole Ozer, an 
attorney with the ACLU; Black Hat director Jeff Moss; Mike Witt, a 
Deputy Director of U.S. CERT (Computer Emergency Readiness Team), and 
security researchers Kaminsky and Grand said the right of independent 
security researchers to investigate problems like the vulnerabilities in 
RFID proximity cards was critical to protect.

Witt of DHS said that U.S. CERT said that DHS often serves as an 
intermediary between researchers and companies, especially when there is 
a concern about legal dangers in outing security holes. The agency 
generally gives companies 45 days to respond to reports of serious 
security holes in their products, he said.

U.S. CERT is now working with both IOActive and HID to investigate the 
issue and may issue a vulnerability notice concerning the security flaws 
in HID proximity cards, said Mike Witt, a deputy director of U.S. CERT. 
Witt said that use of HID proximity cards was widespread in the 
government, but he didn't say whether DHS used the vulnerable RFID 
proximity cards.

Ozer of the ACLU said that HID's efforts to suppress discussion of flaws 
in its RFID proximity cards may have the opposite effect: stirring 
discussion about the vulnerable cards, which are often used to access 
buildings, data centers, and other sensitive facilities.

With RFID technology working its way into passports and drivers 
licenses, U.S. citizens need to be sure that the documents they are 
required to carry are not vulnerable to cloning or data theft, Ozer 

Paul F. Roberts is a senior editor at InfoWorld.

Visit the InfoSec News Security Bookstore!

This archive was generated by hypermail 2.1.3 : Thu Mar 01 2007 - 00:24:23 PST