Lawmakers working to ban hacked RFID door cards

There's already an RFID security brouhaha brewing in Washington, and if some people have their way, it won't be the last legal fight waged in the nation's capital over use of the wireless technology.

The IT security community is buzzing with interest over a legal spat that broke out on Feb. 27, one day ahead of the start of the Black Hat DC 2007 conference.

Officials with Seattle-based IOActive were forced to scale back a planned presentation at the government-themed security trade show in which an expert from the company was to have detailed a technique for hacking data transmitted by HID's popular proximity identification cards used by millions of people nationwide. 

Chris Paget, IOActive's director of research and development, had planned to show off an RFID "cloning" device that could be used to steal access codes from HID-brand proximity cards, store them, then use the stolen codes to fool an HID card reader.

According to show organizers, HID quashed the session by threatening to file a patent infringement suit against IOActive over the use of source code and schematics for creating an HID card cloning device in the demonstration.

Despite the Black Hat lecture's amendment, U.S. lawmakers say the debate over use of similar RFID security technologies in the government space is far from over.

IOActive claims that its initial experiment in hacking the HID system was partially spawned by the firm's physical proximity to government IT assets protected by the devices. The security service provider maintains that its offices are located in a building that uses HID's cards for physical access that also houses "components of the nation's critical infrastructure."

Such concerns have pushed some lawmakers to introduce new bills seeking to limit the use of RFID-based systems in the government sector. Among those backing legislation is California State Senator Joe Simitian, a Democrat who is currently pushing five related bills in his home state.

One of the laws introduced by Simitian (California SB-31), whose 11th Senate District encompasses much of California's Silicon Valley, directly addresses "skimming," the same hacker technique to have been displayed by IOActive through which wireless transmissions from RFID technologies may be captured.

A second bill (California SB-30) calls for a moratorium on the adoption of RFID technology in government-issued IDs, while the others propose similar controls for a range of use cases for the technology, including barring applications for tracking students in the state's school systems.

Simitian submitted the bills after California Gov. Arnold Schwarzenegger vetoed a broader piece of legislation proposing limits on the use of RFID in the government in Oct. 2006. The governor cited his belief that the bill could "unduly burden the numerous beneficial new applications of contact-less technology" as his main reason for shooting it down.