COLUMN

Black Hat RFID controversy has bloggers up in arms

By Bill Brenner 02 Mar 2007 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Radio frequency identification (RFID) chip maker HID Corp. caught plenty of flak in the blogosphere this week after pressuring security researcher Chris Paget to nix his presentation of a device that could clone RFID-enabled proximity badges.

Paget, director of research and development at Seattle-based IOActive Inc., did deliver a modified version of his talk Wednesday at the Black Hat DC conference, though he left out details specific to HID's products.

He spoke mainly about the science behind RFID tags and readers, and their inherent security problems. He also showed several slides with excerpts from a letter that HID sent him, effectively refuting claims by the company that it did not try to prevent him from speaking.

About Security Blog Log Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Recent columns: Microsoft takes a blogosphere beating over Vista UAC Solaris flaw a reminder of why Telnet is toast Vista voice trick: More amusement than concern

Irvine, Calif.-based HID sent Paget a letter (.pdf) stating that the cloning of HID's technology would constitute patent infringement. The letter also said that if Paget refused, "we will have no recourse but to pursue all available remedies against you and IOActive." Paget confirmed that the original presentation would have opened up IOActive to litigation on the grounds that some of the device technology is patented.

The whole affair reminded security bloggers of the furor that overshadowed Black Hat USA 2005 in Las Vegas, when Cisco Systems Inc. demanded that an Internet Security Systems (ISS) researcher cancel his presentation on flaws in the networking giant's IOS software and that the slides be pulled from the conference proceedings. ISS caved to the pressure and leaned on the researcher, Michael Lynn, to scrap his talk. Lynn promptly quit ISS and delivered his presentation anyway.

In the Emergent Chaos blog, a CISO who posts under the name Arthur wrote that HID learned nothing from Cisco's experience two years ago, and that sooner or later more vendors will have to learn how to better manage vulnerability disclosure.

Sticking our heads in the sand... is a mistake. Frankly, how much is this intellectual property worth if it can be compromised so easily? Dan Sullivan Messaging and Web Security blog

He said Black Hat founder Jeff Moss hit the nail on the head when he lamented to one publication that security researchers now need a team of lawyers whenever they want to bring a problem to light.

"As a result of the litigation threat, Chris Paget/IOActive are pulling the talk and it will be replaced by a presentation from the ACLU about privacy risks of RFID," he wrote. "Hopefully they will also cover the chilling effects of legal threats like this on the entire security industry."

IT pro Todd Towles agreed in his Thoughts of a Technocrat blog.

"So HID Global wants us to believe that the IOActive's talk is just 'smoke & mirrors' and isn't even likely feasible, however ... they force them to change their talk and use the rumor of legal threats," Towles wrote. "Does anyone see the disconnect here? I know I do."

He added, "HID Global wants us to 'ignore the man behind the curtain' and you know what? I am not going to do that."

The controversy shows vendors continue to live under the illusion that there's such a thing as security through obscurity, according to the /usr/local.com blog.

"Just because you don't know about it, doesn't mean that it is secure," the blog said. "Can we call a spade a spade here? RFID is *NOT* secure. It's been shown that you can grab the information AND replicate it."

Vendors like HID have also failed to recognize that trying to put a lid on information about new security holes never works, systems architect Dan Sullivan wrote in his Messaging and Web Security blog.

"As Ronald Reagan would say, here they go again," he wrote. "So are we to assume that no one else will figure out how to clone RFID devices? Is quelling one presentation going to protect intellectual property that can be compromised with $20 worth of equipment? The real issue is the strengths and weaknesses of RFID technologies."

He said the infosec community should debate how best to use RFID devices and understand their limits, including how they can be compromised.

"We all know that no technology is perfect, but sticking our heads in the sand and pretending that discussing the details of that fact will compromise security or intellectual property is a mistake," Sullivan added. "Frankly, how much is this intellectual property worth if it can be compromised so easily?"

If anything, HID's legal threats had the opposite effect of what the vendor intended, CISSP Martin McKeay wrote in his blog.

"They think that suing Chris will put the cat back in the bag and hide the security holes he's found," he wrote. "Instead they've taken what would have been an interesting but quickly forgotten talk and made it newsworthy."

Now, he said, more people will know about cloning RFID tags and problems with HID technology than they would have had the vendor backed off and let the presentation proceed.

"Good move folks," McKeay said.

Tags: Security Testing and Ethical Hacking,  Wireless Network Protocols and Standards,  Security Industry Market Trends, Predictions and Forecasts,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Testing and Ethical Hacking Could Metasploit popularity erode? Metasploit Project acquired by vulnerability management firm Rapid7 Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Screencast: BackTrack 4 offers an arsenal of penetration testing tools Security testing firm uncovers XML vulnerabilities Screencast: Samurai offers pen-testing nirvana The requirements needed to make an external penetration test legal McAfee to acquire Solidcore Systems for whitelisting The Pipe Dream of No More Free Bugs Wireless Network Protocols and Standards Wireless network guidelines for PCI DSS compliance Best Wireless Security Products MMS messaging spoof hack could have global ramifications PCI group releases wireless security guide 802.1X Port Access Control: Which version is best for you? Wireless Security Lunchtime Learning An introduction to wireless security Lesson 1: How to counter wireless threats and vulnerabilities Risky Business: Understanding WiFi threats Lesson 1 quiz: Risky business Security Industry Market Trends, Predictions and Forecasts M86 buys Web security gateway vendor Finjan Information Security Decisions 2009: Presentation downloads Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers McAfee survey finds faults in midmarket enterprise security Email archiving vendor sues Gartner over Magic Quadrant Information Security magazine October issue PDF Editor's Desk: Security 7 Winners Chronicle Trends That Shape The Industry Information Security magazine Security 7 Award winners Security Squad: Privacy gone awry Security Industry Market Trends, Predictions and Forecasts Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Cyber Storm  (SearchSecurity.com) ethical hacker  (SearchSecurity.com) ethical worm  (SearchSecurity.com) gray hat  (SearchSecurity.com) honey pot  (SearchSecurity.com) honeynet  (SearchSecurity.com) war dialer  (SearchSecurity.com) white hat  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary