Blackhat Do It Again
Looks like HID hasn’t learned anything from Cisco’s experience two years ago. One of these years more vendors will learn how to manage vulnerability disclosure and follow the lead of companies like Microsoft and Cisco rather than sticking their foot in it.
Chris Paget a well respected researcher is going to present at Blackhat Federal tomorrow on how to build your own proximity card cloner. Infoworld broke the story yesterday. Some choice bits:
Asked why HID hasn’t addressed the issue in more recent proximity card systems, after knowledge of RFID threats became common, Carroll said that doing so would cause “major upheaval” among customers.
Inertia is a more likely cause, said Dan Kaminsky, director of penetration testing at IOActive.
“They didn’t want to change to a more secure implementation because of backwards compatibility issues, and they had a lot of sites that use these cards, and HID has stuff to sell them,” Kaminsky said.
Dan, as as always, can be counted on to say something both interesting and provocative:
The technology is very convenient, but don’t interpret the convenience as security,” Kaminsky said. “At the end of the day, many companies are essentially using barcode technology to control access to their facilities. I’d posit that perhaps there are more secure technologies out there.”
Jeff Moss however nails the real issue.
It’s just so frustrating from a security standpoint. Now anytime someone wants to talk about anything, they need a team of lawyers. Even when it’s about commonly understood problems.
[Update: HID is claiming that the talk infringes on their patents. As a result of the litigation threat, Chris Paget/IOActive are pulling the talk and it will be replaced by a presentation from the ACLU about privacy risks of RFID. Hopefully they will also cover the chilling effects of legal threats like this on the entire security industry as well.]
[Update 2: Rob Lemos has much more detail.]
How can a talk infringe on a patent?
I suspect it was the device he built that was in question. I suspect we’ll learn more once the journalists start running their stuff from the press conference.
What a great idea! If anyone questions anything, threaten a lawsuit. That will keep anyone from making annoying comments about security and privacy. Pretty soon, the lawyers will announce that problems like the ones at TJX cannot be discussed in public, because it will upset the stockholders. Capitalism triumphs again. there are no problems beucase we’re not talking about them.
The natural question is whether the same legal tactics would work if the presenters were representatives of Universities, such as (say) Cambridge, MIT, Johns Hopkins, and Princeton?
Chris: Similar tactics have worked on university researchers in the past. Recall that Ed Felten and company withdrew their paper on breaking SDMI watermarking from an academic conference in 2001. They later published the paper at Usenix Security, but only after complicated legal wrangling. There the issue wasn’t patent infringement, but that’s just a detail. The main issue is threatening litigation as a method to silence discussion of security issues.
The ability to clone proximity badges is not new. I wonder why they choose now to complain?
HIDs patents can be infringed if IOActive distributes code that exploits their patent. Maybe, but probably not, they can be infringed if IOActive produces and uses that code themselves — there’s a research exemption for patent infringement. But HID’s patents cannot be infringed by talking about their technology. Why did the talk get pulled?
Thomas: IOActive had built a hand-held device capable of cloning HID cards. Building this device appears to be what may or may not infringe the patents. While there may be a research exemption in the law, the cost of litigating that question is a major deterrent.
You can view the letter HID sent to IOActive here
http://aclunc.org/news/press_releases/asset_upload_file907_4581.pdf