By Jennifer Granick
Feb, 28, 2007
Guess what? Radio frequency identification tags are insecure. But don't
demonstrate the technology's problems at a security conference. If you
do, HID Global, a manufacturer of access-control devices, might sue you
for patent infringement.
That's the threat the company leveled against Chris Paget of IOActive
Monday, forcing him to pull the presentation he planned for the Black
Hat DC 2007 conference taking place this week in Washington.
Paget had planned to discuss and demonstrate a technique for cloning
RFID proximity cards -- the kind that are used to control access to
buildings and offices. He performed a similar demonstration at the RSA
Conference recently, using a home-brew RFID reader/writer.
I haven't seen the cease-and-desist letter, but from reports, HID Global
seems to be claiming that cloning an RFID security card violates one or
more of the company's patents on RFID reading technology. If true, this
would make any third-party research into the security of the company's
products illegal, as well as any public demonstration.
I'm sure burglars, identity thieves and others who misuse insecure RFIDs
for personal gain will be deterred by the years of messy patent
litigation they'll face if they start hacking RFIDs. It seems to have
scared legitimate researchers pretty well.
I'm glad we didn't worry about whether hacking RFID infringes upon
patents back in January, because at a symposium about new technology and
the Fourth Amendment put on by Stanford Technology Law Review students,
University of California at Berkeley computer science student David
Molnar demonstrated (.mp4) for the audience a cheap little device
cobbled together from Radio Shack parts that was able to read and clone
radio frequency tags contained in our university ID cards.
On that same panel, Nicole Ozer, technology and civil liberties policy
director for the ACLU of Northern California, told us that most people
carry some sort of card that someone can read through a pants pocket,
and thereby identify, track or impersonate them.
But it makes a much bigger impression when you see it happen before your
very eyes, which is why a company might want to block a demonstration.
HID Global reportedly pointed to two of its patents for card readers --
No. 5,041,826 and No. 5,166,676. The important parts of a patent are the
claims. To infringe a patent, one must make, use, sell or offer for sale
an invention described by the patent's claims without the patent owner's
Paget doesn't sell his reader, which you can see him demonstrate here.
But he did make it. So if it operates identically to the card readers
described in HID's patents, then the company's legal threat actually
makes some theoretical sense. That should scare everyone reading this.
Patents have been issued for the most trivial of inventions -- there are
multiple patents like No. 7,111,753, which grants rights with regard to
a piece of paper that goes around a hot cup to stop your hand from
getting burned. Combine excessive grants of patent rights with a
company's narrow corporate self-interest in maintaining an image, and we
have a free speech and security nightmare.
Imagine if, in the 1970s, the tobacco companies had patented devices to
measure the health effects of smoking, then threatened lawsuits against
anyone who researched their products.
The use of patent law to prevent vulnerability discovery and discussion
is bitter irony, because a fundamental purpose of patent law is
disclosure: In exchange for the right to exclude others from using,
making or selling a novel invention, an inventor agrees to make public
all the details. Once issued, patents are a searchable public record,
and expire after 20 years.
This isn't a case about keeping dangerous information out of the hands
of attackers. There's nothing new about RFID vulnerabilities: Everyone
knows about them and has for years. Nor is this a case about properly
rewarding HID for its innovative creativity. Paget isn't building and
selling his own, competing devices.
This is a case about misusing intellectual property laws to silence
critics who want to inform customers and consumers alike that the RFID
emperor has no clothes.
Jennifer Granick is executive director of the Stanford Law School Center
for Internet and Society, and teaches the Cyberlaw Clinic.
Visit the InfoSec News Security Bookstore!