Despite HID's legal threats, Chris Paget, director of research and development at Seattle-based IOActive spoke mainly about the science behind RFID tags and readers and the inherent security problems the architecture includes. He also showed several slides with excerpts from the letter that HID sent him, refuting claims by the company that it did not try to prevent him from speaking.
The device clones RFID-enabled access badges used by many companies and government agencies to gain access to offices. Made with just $20 worth of technology that could be purchased online, an attacker only has to be in close proximity of a person holding an access badge to succeed in developing a clone, Paget said.
Irvine, Calif.-based HID sent a letter to Paget citing intellectual property concerns. Paget said that the presentation would open up IOActive to litigation on the grounds that some of the device technology is patented.
In part, the letter read, "[HID] hereby demand that you refrain from publishing any info at any public forum including the upcoming Black Hat convention," relating to HID's patented technologies. The letter also said that if Paget refused, "we will have no recourse but to pursue all avail remedies against you and IOActive."
Paget said he and IOActive decided not to discuss anything specific to HID's products because "the defense costs alone would put us out of business. HID have certainly put us in a position in which we are unable to present regardless of other circumstances."
In a press conference following the presentation, Mike Davis, director of intellectual property at HID disputed Paget's claims, even after seeing the excerpts of the letter, and said that the company only sought to prevent him from publishing schematics and the full source code of HID's proximity cards. Davis said it is disingenuous and not proper to teach someone how to compromise the security of a product.
"I believe it's disingenuous to say that HID wasn't targeted," he said. "It was really about the issue of full disclosure. We believe that using full source code and schematics would be an inducement of an attack. ... In the end it was really a non issue."
Davis said companies continue to buy RFID proximity cards after weighing the risks or combining the cards with other authentication technologies such as pin-pad access or smart card technology. He also demonstrated a plastic protective cover that could easily protect a proximity card from the cloning vulnerability.
"There's a whole bunch of solutions and at the end of the day this is sometimes what the customer wants," Davis said.
The second half of the session consisted of a panel comprising Paget, an attorney from the American Civil Liberties Union, a representative from US-CERT, Joe Grand, a well-known hardware hacker, and Dan Kaminsky, a noted security researcher. All criticized HID for its actions and said that the incident was representative of a larger problem in the industry.
"The technology is different, but a lot of the problems are the same. I'm a designer and I break things. It's just really frustrating to see this, because I see both sides," said Grand, a former member of the L0pht and now president of Grand Idea Studios in San Diego.
Nicole Ozer, technology and civil liberties policy director for the American Civil Liberties Union of Northern California, said that HID's actions and those of other vendors who seek to limit the availability of information on the security of various systems, should be a major concern for security researchers as well as individuals.
"This leaves all of us unsafe because the government and the industry don't have the information we need to make this secure," she said.
Paul Proctor, vice president in the security and risk practice at research firm, Gartner Inc. said the issues raised by the presentation should concern customers who use RFID proximity cards for access to sensitive areas. The spat between HID and IOActive raises the issue of full disclosure, he said. Customers want to know when vulnerabilities exist so they can fix the technology or put proper security protections in place.
"The problem is organizations are buying the wrong technology," Proctor said. "Facility managers are making purchase decisions and in many cases IT is not involved therefore these vulnerabilities and issues never raise to the surface."
News Editor Robert Westervelt contributed to this report.