Lawmakers working to ban hacked RFID door cards

U.S. lawmakers say the debate over the use of RFID technologies is far from over

To help illustrate the seriousness of the situation to his colleagues in California's senate and state assembly, Simitian conducted a test in 2006 through which a security expert was hired to visit the state's capitol building in Sacramento and hack an RFID card system used to gain entry to the building's garage. The cards used in that test were made by Motorola.

"We're at the state capitol building in the post-9/11 environment, and we've spent millions to improve security, but in the space of several minutes, someone with a laptop can compromise the badge system," Simitian said in an interview with InfoWorld. "The main problem is that the issues aren't widely understood. That's why we've come back with five bills -- because I want to ensure I get to tell this story in every venue that I can; if we can sit down and explain the issue to people, they get it, but it's a hard, complex technical issue."

Simitian said that HID was involved in negotiating the terms of the bill vetoed by Gov. Schwarzenegger but said that the firm still refused to give the legislation its blessing.

The lawmaker labeled HID's move to stop the IOActive Black Hat briefing as proof of its "embarrassment" over the ease with which its products can be defeated.

As the son of a computer programmer and the recipient of several awards from the IT security industry, including an honor bestowed at the RSA 2007 conference earlier this month, Simitian said he hardly considers himself as conservative when it comes to promoting new technologies. He has a hard time understanding why Schwarzenegger and others have blocked laws that require "practical" security measures for the use of RFID.

"I'm a moderate on this issue, which is what frustrates me with the pushback, but those of us who are advocates for technology also know best that it must be used well and wisely," he said. "We have only ourselves to blame if not, and the notion of embedding government documents with RFID with no protections, or to use it in government ID cards, just strikes me as irresponsible."

One of the solutions proposed by HID, whose officials maintain that the company's proximity cards have not been targeted by skimming attacks on a widespread basis, is for concerned customers to upgrade to its more expensive smart card IDs, which use a more advanced form of "active" RFID.

"That's what was so frustrating about governor's message: He said that placing limits on RFID is premature, but the technology has already been with us for a decade," Simitian said. "Should we wait until it's deployed to millions of Californians and then worry? The time to identify problems is now before things get out of control. I think the public expects that."

And data skimming isn't the only security concern to have been posed regarding RFID systems, which are being used for a wide range of industrial applications beyond providing access to facilities.

In March 2006, Dutch researchers published a research report that contends that RFID chips can be infected with malware and used to spread attacks to the back-end IT systems to which they're connected.

People like Simitian who oppose further adoption of RFID technologies in the government sector often refer to a now-defunct pilot program operated by the Department of Homeland Security (DHS) as further evidence that the tools aren't ready for widespread use.