Paget, director of research and development at Seattle-based IOActive Inc., did deliver a modified version of his talk Wednesday at the Black Hat DC conference, though he left out details specific to HID's products.
He spoke mainly about the science behind RFID tags and readers, and their inherent security problems. He also showed several slides with excerpts from a letter that HID sent him, effectively refuting claims by the company that it did not try to prevent him from speaking.
The whole affair reminded security bloggers of the furor that overshadowed Black Hat USA 2005 in Las Vegas, when Cisco Systems Inc. demanded that an Internet Security Systems (ISS) researcher cancel his presentation on flaws in the networking giant's IOS software and that the slides be pulled from the conference proceedings. ISS caved to the pressure and leaned on the researcher, Michael Lynn, to scrap his talk. Lynn promptly quit ISS and delivered his presentation anyway.
In the Emergent Chaos blog, a CISO who posts under the name Arthur wrote that HID learned nothing from Cisco's experience two years ago, and that sooner or later more vendors will have to learn how to better manage vulnerability disclosure.
"As a result of the litigation threat, Chris Paget/IOActive are pulling the talk and it will be replaced by a presentation from the ACLU about privacy risks of RFID," he wrote. "Hopefully they will also cover the chilling effects of legal threats like this on the entire security industry."
IT pro Todd Towles agreed in his Thoughts of a Technocrat blog.
"So HID Global wants us to believe that the IOActive's talk is just 'smoke & mirrors' and isn't even likely feasible, however ... they force them to change their talk and use the rumor of legal threats," Towles wrote. "Does anyone see the disconnect here? I know I do."
He added, "HID Global wants us to 'ignore the man behind the curtain' and you know what? I am not going to do that."
The controversy shows vendors continue to live under the illusion that there's such a thing as security through obscurity, according to the /usr/local.com blog.
"Just because you don't know about it, doesn't mean that it is secure," the blog said. "Can we call a spade a spade here? RFID is *NOT* secure. It's been shown that you can grab the information AND replicate it."
Vendors like HID have also failed to recognize that trying to put a lid on information about new security holes never works, systems architect Dan Sullivan wrote in his Messaging and Web Security blog.
"As Ronald Reagan would say, here they go again," he wrote. "So are we to assume that no one else will figure out how to clone RFID devices? Is quelling one presentation going to protect intellectual property that can be compromised with $20 worth of equipment? The real issue is the strengths and weaknesses of RFID technologies."
He said the infosec community should debate how best to use RFID devices and understand their limits, including how they can be compromised.
"We all know that no technology is perfect, but sticking our heads in the sand and pretending that discussing the details of that fact will compromise security or intellectual property is a mistake," Sullivan added. "Frankly, how much is this intellectual property worth if it can be compromised so easily?"
If anything, HID's legal threats had the opposite effect of what the vendor intended, CISSP Martin McKeay wrote in his blog.
"They think that suing Chris will put the cat back in the bag and hide the security holes he's found," he wrote. "Instead they've taken what would have been an interesting but quickly forgotten talk and made it newsworthy."
Now, he said, more people will know about cloning RFID tags and problems with HID technology than they would have had the vendor backed off and let the presentation proceed.
"Good move folks," McKeay said.
This was first published in March 2007