Black Hat RFID controversy has bloggers up in arms

This week in Security Blog Log: Infosec pros slam HID Corp., the firm that tried to quash a Black Hat presentation on flaws in its RFID technology, calling HID the latest champion of security through obscurity.


Security Blog Log with Bill Brenner
Radio frequency identification (RFID) chip maker HID Corp. caught plenty of flak in the blogosphere this week after pressuring security researcher Chris Paget to nix his presentation of a device that could clone RFID-enabled proximity badges.

Paget, director of research and development at Seattle-based IOActive Inc., did deliver a modified version of his talk Wednesday at the Black Hat DC conference, though he left out details specific to HID's products.

He spoke mainly about the science behind RFID tags and readers, and their inherent security problems. He also showed several slides with excerpts from a letter that HID sent him, effectively refuting claims by the company that it did not try to prevent him from speaking.

About Security Blog Log

Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected].

Recent columns:
Microsoft takes a blogosphere beating over Vista UAC

Solaris flaw a reminder of why Telnet is toast

Vista voice trick: More amusement than concern

Irvine, Calif.-based HID sent Paget a letter (.pdf) stating that the cloning of HID's technology would constitute patent infringement. The letter also said that if Paget refused, "we will have no recourse but to pursue all available remedies against you and IOActive." Paget confirmed that the original presentation would have opened up IOActive to litigation on the grounds that some of the device technology is patented.

The whole affair reminded security bloggers of the furor that overshadowed Black Hat USA 2005 in Las Vegas, when Cisco Systems Inc. demanded that an Internet Security Systems (ISS) researcher cancel his presentation on flaws in the networking giant's IOS software and that the slides be pulled from the conference proceedings. ISS caved to the pressure and leaned on the researcher, Michael Lynn, to scrap his talk. Lynn promptly quit ISS and delivered his presentation anyway.

In the Emergent Chaos blog, a CISO who posts under the name Arthur wrote that HID learned nothing from Cisco's experience two years ago, and that sooner or later more vendors will have to learn how to better manage vulnerability disclosure.

Sticking our heads in the sand... is a mistake. Frankly, how much is this intellectual property worth if it can be compromised so easily?
Dan Sullivan
Messaging and Web Security blog
He said Black Hat founder Jeff Moss hit the nail on the head when he lamented to one publication that security researchers now need a team of lawyers whenever they want to bring a problem to light.

"As a result of the litigation threat, Chris Paget/IOActive are pulling the talk and it will be replaced by a presentation from the ACLU about privacy risks of RFID," he wrote. "Hopefully they will also cover the chilling effects of legal threats like this on the entire security industry."

IT pro Todd Towles agreed in his Thoughts of a Technocrat blog.

"So HID Global wants us to believe that the IOActive's talk is just 'smoke & mirrors' and isn't even likely feasible, however ... they force them to change their talk and use the rumor of legal threats," Towles wrote. "Does anyone see the disconnect here? I know I do."

He added, "HID Global wants us to 'ignore the man behind the curtain' and you know what? I am not going to do that."

The controversy shows vendors continue to live under the illusion that there's such a thing as security through obscurity, according to the /usr/local.com blog.

"Just because you don't know about it, doesn't mean that it is secure," the blog said. "Can we call a spade a spade here? RFID is *NOT* secure. It's been shown that you can grab the information AND replicate it."

Vendors like HID have also failed to recognize that trying to put a lid on information about new security holes never works, systems architect Dan Sullivan wrote in his Messaging and Web Security blog.

"As Ronald Reagan would say, here they go again," he wrote. "So are we to assume that no one else will figure out how to clone RFID devices? Is quelling one presentation going to protect intellectual property that can be compromised with $20 worth of equipment? The real issue is the strengths and weaknesses of RFID technologies."

He said the infosec community should debate how best to use RFID devices and understand their limits, including how they can be compromised.

"We all know that no technology is perfect, but sticking our heads in the sand and pretending that discussing the details of that fact will compromise security or intellectual property is a mistake," Sullivan added. "Frankly, how much is this intellectual property worth if it can be compromised so easily?"

If anything, HID's legal threats had the opposite effect of what the vendor intended, CISSP Martin McKeay wrote in his blog.

"They think that suing Chris will put the cat back in the bag and hide the security holes he's found," he wrote. "Instead they've taken what would have been an interesting but quickly forgotten talk and made it newsworthy."

Now, he said, more people will know about cloning RFID tags and problems with HID technology than they would have had the vendor backed off and let the presentation proceed.

"Good move folks," McKeay said.

Read more on Wireless networking