Chris Paget said that, unlike Lynn's sophisticated hack of Cisco's IOS operating system, the RFID cloning devices he built were simple devices concocted from around $20 in off-the-shelf parts purchased on eBay.
"This thing is simpler than a Furbie," he said, referring to the plush electronic play toy of years past. Moreover, the HID patents in question are public documents, containing all the information needed to build the RFID cloner, he said.
"This is not something new that we're doing. HID has known about this for about two years, if not longer," Paget said.
Indeed, HID marketing materials for its Smart Card technology notes that "by using diversified unique keys and industry standard encryption techniques, the risk of compromised data or duplicated (smart) cards is reduced," and that "these security measures are not implemented in proximity cards, giving contactless smart cards a significant security advantage."
While it's possible to make secure RFID devices that can store sensitive information, the HID proximity cards that use it are not secure, and customers who use the cards need to know that, Paget said.
"Our intent was to disseminate information so people could make informed decisions about RFID technology they're deploying. For example, whether to deploy a proximity card with a secondary factor like a biometric or PIN [personal ID number]. But we've been prevented by HID from discussing that, and we believe it's detrimental to the security community," he said.
Nicole Ozer, technology & civil liberties policy director at the ACLU of Northern California, said that the work IOActive was doing was vital and that, while the group supports the enforcement of patent law, "free speech must be protected and not "trampled by the overzealous use of patent law."
Government agencies, including the Government Accountability Office and the Department of Homeland Security, have all raised concerns about RFID security, even as they issue guidelines for using RFID in passports and other documents, she said.
"It's particularly important that the government and the public have all the information on RFID technology. The use of RFID without the proper protections could jeopardize privacy, security, and public safety," she said.
For Moss and Black Hat, which is now part of CMP, the decision by IOActive to cancel Paget's talk was a discouraging reprise of the controversy two years ago over Michael Lynn's talk in Las Vegas. Show organizers, once again ripping pages out of conference proceedings at the request of IOActive, and recalling CDs containing copies of Paget's presentation.
"We're supporting IOActive," Moss said, noting that CMP had its legal team working on behalf of IOActive to see if a solution could be reached.
"I'm not sure if it was part of HID's strategy to drop a bomb at the last minute, but it really screwed up our conference strategy," he said.