Black Hat presenter nixes RFID cloning demo under pressure

By Robert Westervelt, News Editor 28 Feb 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

There is widespread use of the technology in ways that it is not designed for. Chris Paget, director of research and development, IOActive

The device clones RFID-enabled access badges used by many companies and government agencies to gain access to offices. Made with just $20 worth of technology that could be purchased online, an attacker only has to be in close proximity of a person holding an access badge to succeed in developing a clone, said Chris Paget, director of research and development at Seattle-based IOActive.

The device irked Irvine, Calif.-based HID Corp., the makers of the RFID proximity badges. The firm sent a letter to Paget citing intellectual property concerns. Paget said that the presentation would open up IOActive to litigation on the grounds that some of the device technology is patented.

"The device is a teaching tool," Paget said in an interview with SearchSecurity.com. "The whole point was to educate people to make better risk decisions when deploying RFID."

Paget said the device is an example to make companies reevaluate their physical access policies for employees. Companies using HID RFID-enabled proximity badges should combine access control with a pinpad or contactless smart card technology.

RFID security: Panel says privacy legislation too premature for RFID: A group of public policy and technology experts at the RSA Conference 2007 said legislation could make radio frequency identification technology too costly for enterprises and hamper its innovation.

"There is widespread use of the technology in ways that it was not designed for," Paget said. "It was not designed for both authentication and authorization."

Paget said he hoped to discuss how RFID technology could be compromised in a variety of devices. The presentation was replaced with a session called "Rights 'Chipped' Away: RFID and Identification Documents," given by Nicole A. Ozer, director of civil liberties and technology policy for the American Civil Liberties Union of Northern California.

HID could not be reached for comment Wednesday morning. RFID cloning is not new. HID has known about the problem for years and talks about the advantages of its contactless iCLASS smart card over proximity cards in a white paper on the issue.

A group of researchers discussed whether legislation is needed to force vendors to boost security and privacy in their products earlier this month at RFID Conference 2007. Adoption of radio frequency identification (RFID) technology could stall if lawmakers overreact to security and privacy concerns by legislating the technology.

Text of HID letter to Paget Click here to read the letter HID Corp. sent to Chris Paget, director of research and development at Seattle-based IOActive.

While legislation could protect consumers and companies that deploy the technology, education is needed to understand the security and privacy implications. To address privacy and security concerns, researchers are developing a blocker tag that would spam an unauthorized tag reader.

Researchers are developing ways to calibrate power in RFID chips to enable a kill switch for the tiny tags and are also working on a way to shoehorn layers of security functionality onto a standard EPC tag.

Tags: Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats Best practices for (small) botnets Cybersecurity grant to fund research into critical infrastructure threats RSA security conference 2010: news, interviews and updates Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers US-CERT warns of BlackBerry snooping software Researchers find thousands of flawed embedded devices

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) pulsing zombie  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary