The IT security community is buzzing with interest over a legal spat that broke out on Feb. 27, one day ahead of the start of the Black Hat DC 2007 conference.
Officials with Seattle-based IOActive were forced to cancel a planned presentation at the government-themed security trade show in which an expert from the company was to have detailed a technique for hacking data transmitted by HID's popular proximity identification cards used by millions of people nationwide.'
Chris Paget, IOActive's director of research and development, had planned to show off an RFID "cloning" device that could be used to steal access codes from HID-brand proximity cards, store them, then use the stolen codes to fool an HID card reader.
According to show organizers, HID quashed the session by threatening to file a patent infringement suit against IOActive over the use of HID's source code in the demonstration.
Despite the Black Hat lecture's cancellation, U.S. lawmakers say the debate over use of similar RFID security technologies in the government space is far from over.
IOActive claims that its initial experiment in hacking the HID system was partially spawned by the firm's physical proximity to government IT assets protected by the devices. The security service provider maintains that its offices are located in a building that uses HID's cards for physical access that also houses "components of the nation's critical infrastructure."
Such concerns have pushed some lawmakers to introduce new bills seeking to limit the use of RFID-based systems in the government sector. Among those backing legislation is California State Senator Joe Simitian, a Democrat who is currently pushing five related bills in his home state.
One of the laws introduced by Simitian (California SB-31), whose 11th Senate District encompasses much of California's Silicon Valley, directly addresses "skimming," the same hacker technique to have been displayed by IOActive through which wireless transmissions from RFID technologies may be captured.
A second bill (California SB-30) calls for a moratorium on the adoption of RFID technology in government-issued IDs, while the others propose similar controls for a range of use cases for the technology, including barring applications for tracking students in the state's school systems.
Simitian submitted the bills after California Gov. Arnold Schwarzenegger vetoed a broader piece of legislation proposing limits on the use of RFID in the government in Oct. 2006. The governor cited his belief that the bill could "unduly burden the numerous beneficial new applications of contact-less technology" as his main reason for shooting it down.
To help illustrate the seriousness of the situation to his colleagues in California's senate and state assembly, Simitian conducted a test in 2006 through which a security expert was hired to visit the state's capitol building in Sacramento and hack an RFID card system used to gain entry to the building's garage. The cards used in that test were made by Motorola.
"We're at the state capitol building in the post-9/11 environment, and we've spent millions to improve security, but in the space of several minutes, someone with a laptop can compromise the badge system," Simitian said in an interview with InfoWorld. "The main problem is that the issues aren't widely understood. That's why we've come back with five bills -- because I want to ensure I get to tell this story in every venue that I can; if we can sit down and explain the issue to people, they get it, but it's a hard, complex technical issue."
Simitian said that HID was involved in negotiating the terms of the bill vetoed by Gov. Schwarzenegger but said that the firm still refused to give the legislation its blessing.
The lawmaker labeled HID's move to stop the IOActive Black Hat briefing as proof of its "embarrassment" over the ease with which its products can be defeated.
As the son of a computer programmer and the recipient of several awards from the IT security industry, including an honor bestowed at the RSA 2007 conference earlier this month, Simitian said he hardly considers himself as conservative when it comes to promoting new technologies. He has a hard time understanding why Schwarzenegger and others have blocked laws that require "practical" security measures for the use of RFID.
"I'm a moderate on this issue, which is what frustrates me with the pushback, but those of us who are advocates for technology also know best that it must be used well and wisely," he said. "We have only ourselves to blame if not, and the notion of embedding government documents with RFID with no protections, or to use it in government ID cards, just strikes me as irresponsible."
One of the solutions proposed by HID, whose officials maintain that the company's proximity cards have not been targeted by skimming attacks on a widespread basis, is for concerned customers to upgrade to its more expensive smart card IDs, which use a more advanced form of "active" RFID.
"That's what was so frustrating about governor's message: He said that placing limits on RFID is premature, but the technology has already been with us for a decade," Simitian said. "Should we wait until it's deployed to millions of Californians and then worry? The time to identify problems is now before things get out of control. I think the public expects that."
And data skimming isn't the only security concern to have been posed regarding RFID systems, which are being used for a wide range of industrial applications beyond providing access to facilities.
In March 2006, Dutch researchers published a research report that contends that RFID chips can be infected with malware and used to spread attacks to the back-end IT systems to which they're connected.
People like Simitian who oppose further adoption of RFID technologies in the government sector often refer to a now-defunct pilot program operated by the Department of Homeland Security (DHS) as further evidence that the tools aren't ready for widespread use.
As part of the U.S. Visitor and Immigration Status Indicator Technology (U.S. VISIT) program, DHS used documents bearing RFID technology between 2005 and 2006 to help track the movement of individuals at several major land border crossings.
In a report issued on Jan. 31, 2007, the U.S. Government Accountability Office (GAO) indicated that the RFID portion of the program had been halted based on concerns about the technologies' usefulness and security ramifications.
Like the HID proximity cards hacked by IOActive and those made by other popular vendors, the RFID technology used in the DHS pilot featured long-range radio frequency technology, which is considered by experts to be the most dangerous based on the ability for the devices' signals to be intercepted from as far as 30 feet away.
Jim Harper, director of information policy studies at the Cato Institute, a public policy think-tank based in Washington, helped author a DHS report that reviewed security and privacy issues related to the use of RFID within the U.S. VISIT program.
The HID-IOActive imbroglio serves as yet another example of how commonly-used RFID technologies aren't ready for application in the government and elsewhere, he said.
"I don't think the government should try to lead the way on RFID; we should let the technologies mature further and iron-out the security risks first," Harper said. "Up to this point, the government has been a leading adopter, and all that has done is put U.S. citizens into the role of guinea pig."
On the flip side, RFID proponents maintain that lawmakers must be prudent in drafting any limitations they place on the use of the technology so as to not limit potentially beneficial innovation.
Randy Vanderhoof, executive director of the Smart Card Alliance, a 160-member nonprofit group that promotes the use of RFID in cutting-edge identification systems, said that legislators are correct to demand that security and privacy concerns surrounding use of the tools be addressed, but he observed that some of the bills that have been proposed are far too vague and all-inclusive.
"The intention is right in terms of protecting citizens' privacy, but legislation that seeks to outlaw technologies without further defining their use is the wrong approach," Vanderhoof said. "One of the things that people in smart card industry have told me in reading this legislative language is that it is really broad and subject to interpretation and that the technical nuances between various forms of RF-enabled technologies are not taken into consideration."
Despite the bad press being given to RFID by incidents such as the HID-IOActive squabble, the expert believes that common sense will win out and U.S. lawmakers will create regulations that allow for use of more secure applications of the technology in the government setting.
"Our interest is to try to get people to become more specific about their language. When they say it's insecure to use long read-range RFID for an access card, they're probably right," said Vanderhoof. "We would like to see legislators putting meat into laws that will make it costly for people to try to exploit weaker forms of these technologies to commit fraud; we think it's smarter to use legislation as a deterrent rather than to restrict the use of technologies, many of which have proven very cost effective and productive."