RFID dispute: Vendors still hostile toward full disclosure
Many vendors still believe that security by obscurity is still the best policy and make it a priority to silence vulnerability researchers.
Behind The Firewall: ARLINGTON, Va. -- The completely bizarre yet sadly familiar series of events that led to a security researcher canceling and then later delivering a modified version of a talk on RFID security at the Black Hat DC conference Tuesday provided clear evidence that many vendors are still entirely clueless about security and their responsibility to customers.
The controversy erupted earlier this week when it came to light that HID Global Corp., a maker of proximity cards, sent a letter to Chris Paget demanding that he not deliver a talk at the conference in which he planned to discuss well-known security problems with the RFID implementations in such cards. The company claimed that a portion of the talk infringed on HID's patents and threatened to sue Paget and his employer, IOActive, if he proceeded.
"[We] hereby demand that you refrain from publishing any information at any public forum including the upcoming Black Hat convention," the letter reads in part.
![]() |
||||
|
![]() |
|||
![]() |
As a result, Paget excised the HID-specific portions from his talk and instead discussed RFID in general and the inherent security problems with it. The session later morphed into a panel discussion, which included an ACLU attorney, two well-known security researchers and a representative from US-CERT.
This is all eerily reminiscent of the goings on at the Black Hat USA conference in Las Vegas in 2005. In an incident that has now become part of the lore of the security industry, Cisco Systems demanded that a presentation by a researcher at Internet Security Systems on flaws in Cisco's IOS software be canceled and the slides removed from the conference proceedings. ISS caved and the researcher, Mike Lynn, quit ISS on the spot and delivered his talk anyway.
![]() |
||||
|
![]() |
|||
![]() |
This mentality pervades the vendor community and it has created a situation in which researchers are afraid to publish vulnerability details without the express written consent of the vendor, and then only after a patch has been published, regardless of how long that process takes. This, in turn, puts customers in a position of unknowingly using unsecure products. Sure, it's a safe bet to assume that just about every software or hardware product you're using is unsecure on some level. But vendors shouldn't be in the business of using the court system to prevent their customers from learning the specifics of those vulnerabilities.
Nicole Ozer, an attorney with the American Civil Liberties Union of Northern California, put it even more bluntly. "This leaves all of us unsafe because the government and the industry don't have the information we need to make this secure," she said. "If we didn't have the important information from security researchers on [vulnerabilities] in the Dutch e-passport and the VeriChip, we wouldn't have the evidence that these problems exist."
For further evidence of the problem, consider this absurdity: Because of the threats of legal action from HID, IOActive has decided not to share the details of its presentation with US-CERT, the arm of the Department of Homeland Security responsible for gathering, analyzing and publishing vulnerability data. And US-CERT is in the business of working with vendors to develop patches and timely schedules for publishing vulnerability details and fixes. Insane, isn't it?
None of this is new, of course. These threats and lawsuits have been part of the vulnerability disclosure process from time immemorial. "The technology is different, but a lot of the problems are the same. I'm a designer and I break things. It's just really frustrating to see this, because I see both sides," said Joe Grand, a former member of the L0pht who know runs a device design firm in San Diego. And, given the level of acrimony on display at Black Hat between an HID representative and Paget and his IOActive colleagues, it's difficult to see how this particular case and others like it will be resolved.