Black Hat dispute stirs RFID security awareness

The widely reported dispute between security firm IOActive and secure card maker HID has raised awareness about the risks associated with RFID proximity cards and may prompt DHS warnings to government agencies about use of the technology.

Representatives from IOActive, Black Hat, the ACLU, and the U.S. Department of Homeland Security laid bare the vulnerabilities inherent in the popular proximity cards and debated with a HID representative at a panel discussion about RFID vulnerabilities that was part of the Black Hat Federal security conference. While the discussion did little to resolve the disagreements over the cancellation of a planned RFID hacking session, the publicity around the incident may prompt greater scrutiny of RFID security in the public and private spheres, panel members agreed.

The panel discussion at Black Hat followed an abbreviated version of a presentation on RFID security by Chris Paget, director of research and development at IOActive.

IOActive said on Tuesday that it was pulling its presentation under threat of legal action from HID, which claimed that Paget's discussion of methods for creating an RFID cloning device would violate two HID patents on RFID technology.

After discussing RFID technology at a high level and possible security concerns arising from RFID, Paget informed the audience that he couldn't discuss those vulnerabilities further. Instead, he presented a number of slides that excerpted a letter from HID's attorneys and that seemed to suggest that HID had demanded IOActive not present any information at Black Hat. The slides ran contrary to an HID statement late Tuesday that said the company never demanded that Paget cancel his talk.

"HID Global did not threaten IOActive or Chris Paget, its Director of Research and Development, to stop its presentation at the Black Hat event being held in Washington, DC on Wednesday, February 28, 2007. HID Global, acting in the best interests of its customers worldwide, simply informed IOActive and its management of the patents that currently protect HID Global intellectual property," the e-mail statement read.

Mike Davis, director of intellectual property at HID, defended that position and the company's efforts to suppress the presentation of schematics and source code concerning its RFID proximity cards. In sometimes testy exchanges with Paget and Dan Kaminsky of IOActive and in comments to InfoWorld after the panel, Davis said that his company was "ambushed" by IOActive and never threatened to sue Paget or IOActive.

"We never intended to sue IOActive," Davis said, noting that the company only became aware of the issue on the 14th after Paget contacted them in an e-mail but took a week to formulate a response.

Differences between the free-wheeling IT security community and a more closed physical security industry may be partially to blame, according to Joe Grand, a security researcher at Grand Idea Studio.

"Hardware companies are generally not involved in the security process, so they don't know anything about disclosure. So their response is, 'Let's throw down the hammer,'" he said.

While the specifics of the dispute between HID and IOActive are shrouded by legal maneuvers, there was general agreement that insecure RFID deployments are a big problem that needs to be addressed soon.