ARLINGTON, Va. -- A security researcher who planned to demonstrate
a device that could clone radio frequency identification (RFID)
enabled proximity badges, has pulled his presentation from the
Black Hat DC Training conference schedule under pressure from the
chip maker.
 | | | | | There is widespread use of the
technology in ways that it is not designed for.
Chris Paget,
director of research and
developmentIOActive |
| | | | | |
| |
|
The device clones RFID-enabled access badges used by many
companies and government agencies to gain access to offices. Made
with just $20 worth of technology that could be purchased online,
an attacker only has to be in close proximity of a person holding
an access badge to succeed in developing a clone, said Chris Paget,
director of research and development at Seattle-based IOActive.
The device irked Irvine, Calif.-based HID Corp., the makers of
the RFID proximity badges. The firm sent a letter to Paget citing
intellectual property concerns. Paget said that the presentation
would open up IOActive to litigation on the grounds that some of
the device technology is patented.
"The device is a teaching tool," Paget said in an interview with
SearchSecurity.com. "The whole point was to educate people to make
better risk decisions when deploying RFID."
Paget said the device is an example to make companies reevaluate
their physical access policies for employees. Companies using HID
RFID-enabled proximity badges should combine access control with a
pinpad or contactless smart card technology.
"There is widespread use of the technology in ways that it was
not designed for," Paget said. "It was not designed for both
authentication and authorization."
Paget said he hoped to discuss how RFID technology could be
compromised in a variety of devices. The presentation was replaced
with a session called "Rights 'Chipped' Away: RFID and
Identification Documents," given by Nicole A. Ozer, director of
civil liberties and technology policy for the American Civil
Liberties Union of Northern California.
HID could not be reached for comment Wednesday morning. RFID
cloning is not new. HID has known about the problem for years and
talks about the advantages of its contactless iCLASS smart card
over proximity cards in a
white
paper on the issue.
A group of researchers discussed whether legislation is needed
to force vendors to boost
security and privacy in their products earlier this month at
RFID Conference 2007. Adoption of radio frequency identification
(RFID) technology could stall if lawmakers overreact to security
and privacy concerns by legislating the technology.
@32861 While legislation could protect consumers and companies
that deploy the technology, education is needed to understand the
security and privacy implications. To address privacy and security
concerns, researchers are developing a blocker tag that would spam
an unauthorized tag reader.
Researchers are developing ways to calibrate power in RFID chips
to enable a kill switch for the tiny tags and are also working on a
way to shoehorn layers of security functionality onto a standard
EPC tag.