Black Hat presenter nixes RFID cloning demo under pressure

There is widespread use of the technology in ways that it is not designed for. Chris Paget, director of research and developmentIOActive

The device clones RFID-enabled access badges used by many companies and government agencies to gain access to offices. Made with just $20 worth of technology that could be purchased online, an attacker only has to be in close proximity of a person holding an access badge to succeed in developing a clone, said Chris Paget, director of research and development at Seattle-based IOActive.

The device irked Irvine, Calif.-based HID Corp., the makers of the RFID proximity badges. The firm sent a letter to Paget citing intellectual property concerns. Paget said that the presentation would open up IOActive to litigation on the grounds that some of the device technology is patented.

"The device is a teaching tool," Paget said in an interview with SearchSecurity.com. "The whole point was to educate people to make better risk decisions when deploying RFID."

Paget said the device is an example to make companies reevaluate their physical access policies for employees. Companies using HID RFID-enabled proximity badges should combine access control with a pinpad or contactless smart card technology.

RFID security: Panel says privacy legislation too premature for RFID: A group of public policy and technology experts at the RSA Conference 2007 said legislation could make radio frequency identification technology too costly for enterprises and hamper its innovation.

"There is widespread use of the technology in ways that it was not designed for," Paget said. "It was not designed for both authentication and authorization."

Paget said he hoped to discuss how RFID technology could be compromised in a variety of devices. The presentation was replaced with a session called "Rights 'Chipped' Away: RFID and Identification Documents," given by Nicole A. Ozer, director of civil liberties and technology policy for the American Civil Liberties Union of Northern California.

HID could not be reached for comment Wednesday morning. RFID cloning is not new. HID has known about the problem for years and talks about the advantages of its contactless iCLASS smart card over proximity cards in a white paper on the issue.

A group of researchers discussed whether legislation is needed to force vendors to boost security and privacy in their products earlier this month at RFID Conference 2007. Adoption of radio frequency identification (RFID) technology could stall if lawmakers overreact to security and privacy concerns by legislating the technology.

@32861 While legislation could protect consumers and companies that deploy the technology, education is needed to understand the security and privacy implications. To address privacy and security concerns, researchers are developing a blocker tag that would spam an unauthorized tag reader.

Researchers are developing ways to calibrate power in RFID chips to enable a kill switch for the tiny tags and are also working on a way to shoehorn layers of security functionality onto a standard EPC tag.