Representatives from IOActive, Black Hat, the ACLU, and the U.S. Department of Homeland Security laid bare the vulnerabilities inherent in the popular proximity cards and debated with a HID representative at a panel discussion about RFID vulnerabilities that was part of the Black Hat Federal security conference. While the discussion did little to resolve the disagreements over the cancellation of a planned RFID hacking session, the publicity around the incident may prompt greater scrutiny of RFID security in the public and private spheres, panel members agreed.
The panel discussion at Black Hat followed security by Chris Paget, director of research and development at IOActive.
IOActive said on Tuesday that it was under threat of legal action from HID, which claimed that Paget's discussion of methods for creating an RFID cloning device would violate two HID patents on RFID technology.
After discussing RFID technology at a high level and possible security concerns arising from RFID, Paget informed the audience that he couldn't discuss those vulnerabilities further. Instead, he presented a number of slides that excerpted a letter from HID's attorneys and that seemed to suggest that HID had demanded IOActive not present any information at Black Hat. The slides ran contrary to an HID statement late Tuesday that said the company never demanded that Paget cancel his talk.
"HID Global did not threaten IOActive or Chris Paget, its Director of Research and Development, to stop its presentation at the Black Hat event being held in Washington, DC on Wednesday, February 28, 2007. HID Global, acting in the best interests of its customers worldwide, simply informed IOActive and its management of the patents that currently protect HID Global intellectual property," the e-mail statement read.
Mike Davis, director of intellectual property at HID, defended that position and the company's efforts to suppress the presentation of schematics and source code concerning its RFID proximity cards. In sometimes testy exchanges with Paget and Dan Kaminsky of IOActive and in comments to InfoWorld after the panel, Davis said that his company was "ambushed" by IOActive and never threatened to sue Paget or IOActive.
"We never intended to sue IOActive," Davis said, noting that the company only became aware of the issue on the 14th after Paget contacted them in an e-mail but took a week to formulate a response.
Differences between the free-wheeling IT security community and a more closed physical security industry may be partially to blame, according to Joe Grand, a security researcher at Grand Idea Studio.
"Hardware companies are generally not involved in the security process, so they don't know anything about disclosure. So their response is, 'Let's throw down the hammer,'" he said.
While the specifics of the dispute between HID and IOActive are shrouded by legal maneuvers, there was general agreement that insecure RFID deployments are a big problem that needs to be addressed soon.
"RFID is not a new technology. It's been around for decades, but its going mainstream," Grand said.
In a wide-ranging panel discussion that followed Paget, Nicole Ozer, an attorney with the ACLU; Black Hat director Jeff Moss; Mike Witt, a Deputy Director of U.S. CERT (Computer Emergency Readiness Team), and security researchers Kaminsky and Grand said the right of independent security researchers to investigate problems like the vulnerabilities in RFID proximity cards was critical to protect.
Witt of DHS said that U.S. CERT said that DHS often serves as an intermediary between researchers and companies, especially when there is a concern about legal dangers in outing security holes. The agency generally gives companies 45 days to respond to reports of serious security holes in their products, he said.
U.S. CERT is now working with both IOActive and HID to investigate the issue and may issue a vulnerability notice concerning the security flaws in HID proximity cards, said Mike Witt, a deputy director of U.S. CERT. Witt said that use of HID proximity cards was widespread in the government, but he didn't say whether DHS used the vulnerable RFID proximity cards.
Ozer of the ACLU said that HID's efforts to suppress discussion of flaws in its RFID proximity cards may have the opposite effect: stirring discussion about the vulnerable cards, which are often used to access buildings, data centers, and other sensitive facilities.
With RFID technology working its way into passports and drivers licenses, U.S. citizens need to be sure that the documents they are required to carry are not vulnerable to cloning or data theft, Ozer said.