By Paul F. Roberts
February 28, 2007
The widely reported dispute between security firm IOActive and secure
card maker HID has raised awareness about the risks associated with RFID
proximity cards and may prompt DHS warnings to government agencies about
use of the technology.
Representatives from IOActive, Black Hat, the ACLU, and the U.S.
Department of Homeland Security laid bare the vulnerabilities inherent
in the popular proximity cards and debated with a HID representative at
a panel discussion about RFID vulnerabilities that was part of the Black
Hat Federal security conference. While the discussion did little to
resolve the disagreements over the cancellation of a planned RFID
hacking session, the publicity around the incident may prompt greater
scrutiny of RFID security in the public and private spheres, panel
The panel discussion at Black Hat followed an abbreviated version of a
presentation on RFID security by Chris Paget, director of research and
development at IOActive.
IOActive said on Tuesday that it was pulling its presentation under
threat of legal action from HID, which claimed that Paget's discussion
of methods for creating an RFID cloning device would violate two HID
patents on RFID technology.
After discussing RFID technology at a high level and possible security
concerns arising from RFID, Paget informed the audience that he couldn't
discuss those vulnerabilities further. Instead, he presented a number of
slides that excerpted a letter from HID's attorneys and that seemed to
suggest that HID had demanded IOActive not present any information at
Black Hat. The slides ran contrary to an HID statement late Tuesday that
said the company never demanded that Paget cancel his talk.
"HID Global did not threaten IOActive or Chris Paget, its Director of
Research and Development, to stop its presentation at the Black Hat
event being held in Washington, DC on Wednesday, February 28, 2007. HID
Global, acting in the best interests of its customers worldwide, simply
informed IOActive and its management of the patents that currently
protect HID Global intellectual property," the e-mail statement read.
Mike Davis, director of intellectual property at HID, defended that
position and the company's efforts to suppress the presentation of
schematics and source code concerning its RFID proximity cards. In
sometimes testy exchanges with Paget and Dan Kaminsky of IOActive and in
comments to InfoWorld after the panel, Davis said that his company was
"ambushed" by IOActive and never threatened to sue Paget or IOActive.
"We never intended to sue IOActive," Davis said, noting that the company
only became aware of the issue on the 14th after Paget contacted them in
an e-mail but took a week to formulate a response.
Differences between the free-wheeling IT security community and a more
closed physical security industry may be partially to blame, according
to Joe Grand, a security researcher at Grand Idea Studio.
"Hardware companies are generally not involved in the security process,
so they don't know anything about disclosure. So their response is,
'Let's throw down the hammer,'" he said.
While the specifics of the dispute between HID and IOActive are shrouded
by legal maneuvers, there was general agreement that insecure RFID
deployments are a big problem that needs to be addressed soon.
"RFID is not a new technology. It's been around for decades, but its
going mainstream," Grand said.
In a wide-ranging panel discussion that followed Paget, Nicole Ozer, an
attorney with the ACLU; Black Hat director Jeff Moss; Mike Witt, a
Deputy Director of U.S. CERT (Computer Emergency Readiness Team), and
security researchers Kaminsky and Grand said the right of independent
security researchers to investigate problems like the vulnerabilities in
RFID proximity cards was critical to protect.
Witt of DHS said that U.S. CERT said that DHS often serves as an
intermediary between researchers and companies, especially when there is
a concern about legal dangers in outing security holes. The agency
generally gives companies 45 days to respond to reports of serious
security holes in their products, he said.
U.S. CERT is now working with both IOActive and HID to investigate the
issue and may issue a vulnerability notice concerning the security flaws
in HID proximity cards, said Mike Witt, a deputy director of U.S. CERT.
Witt said that use of HID proximity cards was widespread in the
government, but he didn't say whether DHS used the vulnerable RFID
Ozer of the ACLU said that HID's efforts to suppress discussion of flaws
in its RFID proximity cards may have the opposite effect: stirring
discussion about the vulnerable cards, which are often used to access
buildings, data centers, and other sensitive facilities.
With RFID technology working its way into passports and drivers
licenses, U.S. citizens need to be sure that the documents they are
required to carry are not vulnerable to cloning or data theft, Ozer
Paul F. Roberts is a senior editor at InfoWorld.
Visit the InfoSec News Security Bookstore!