Black Hat dispute stirs RFID security awareness

The widely reported dispute between security firm IOActive and secure card maker HID has raised awareness about the risks associated with RFID proximity cards and may prompt DHS warnings to government agencies about use of the technology.

Representatives from IOActive, Black Hat, the ACLU, and the U.S. Department of Homeland Security laid bare the vulnerabilities inherent in the popular proximity cards and debated with a HID representative at a panel discussion about RFID vulnerabilities that was part of the Black Hat Federal security conference. While the discussion did little to resolve the disagreements over the cancellation of a planned RFID hacking session, the publicity around the incident may prompt greater scrutiny of RFID security in the public and private spheres, panel members agreed.

The panel discussion at Black Hat followed security by Chris Paget, director of research and development at IOActive.

IOActive said on Tuesday that it was under threat of legal action from HID, which claimed that Paget's discussion of methods for creating an RFID cloning device would violate two HID patents on RFID technology.

After discussing RFID technology at a high level and possible security concerns arising from RFID, Paget informed the audience that he couldn't discuss those vulnerabilities further. Instead, he presented a number of slides that excerpted a letter from HID's attorneys and that seemed to suggest that HID had demanded IOActive not present any information at Black Hat. The slides ran contrary to an HID statement late Tuesday that said the company never demanded that Paget cancel his talk.

"HID Global did not threaten IOActive or Chris Paget, its Director of Research and Development, to stop its presentation at the Black Hat event being held in Washington, DC on Wednesday, February 28, 2007. HID Global, acting in the best interests of its customers worldwide, simply informed IOActive and its management of the patents that currently protect HID Global intellectual property," the e-mail statement read.