Shostack + Friends Blog Archive


HIDing At Blackhat

Now HID is claiming that they did not demand that Chris or IOActive cancel their talk. As a result the talk is now back on, but with the details about the device and the demo expurgated. As Chris has repeatedly said, this attack is completely generic and works against any passive RFID tag.
Additionally, Nicole Ozer, Technology & Civil Liberties Policy Director for the ACLU is also scheduled to speak after Chris to cover the privacy issues around RFID.
[Update 1: Chris: “If you even think about doing this sort of thing, have a patent lawyer”]
[Update 2: HID seems confused about what constitutes a demand. From Chris’s presentation and the original letter from HID:

We understand … that you intend to publicly present and publish additional information about your spoofer at the Black Hat convention … We believe such presentation will subject you to further liability …


…hereby demand that you refrain from publishing any information at any public forum including the upcoming Black Hat convention…

Furthermore, HID hints heavily at burying IOActive in law suits by saying:

…we will have no recourse but to pursue all available remedies against you and IOActive


impossible for HID to provide a covenant not to sue

As as result of this letter, Chris stated that he and IOActive felt that they could not risk being put out of business by the costs of a lawsuit brought on by covering the HID specific portions of the talk.
[Update 3: Quotes above are from Chris’s slides.]
[Update 4: Full text of the letter from HID has been posted by the ACLU. Also Nicole Ozer has posted her own take on the issues discussed today at Blackhat.]
[Update 5: Jennifer Granick weighs in with some scary thougts:

HID Global reportedly pointed to two of its patents for card readers — No. 5,041,826 and No. 5,166,676. The important parts of a patent are the claims. To infringe a patent, one must make, use, sell or offer for sale an invention described by the patent’s claims without the patent owner’s authorization.
Paget doesn’t sell his reader, which you can see him demonstrate here. But he did make it. So if it operates identically to the card readers described in HID’s patents, then the company’s legal threat actually makes some theoretical sense. That should scare everyone reading this.

[Update 6: Clone your verichip. This technique should work on similar RFID chips….]

2 comments on "HIDing At Blackhat"

  • ChrisW says:

    On the verichip cloning — Adam blogged about this here at (pre-combo) EC, using the incendiary title RFID Kills. I commented with a link to Westhues. I only know this because I googled “prox card clone” and got to the old post! (was trying to find other schematics)
    It’s an interesting difference in approaches, perhaps because the subcutaneous stuff is more controversial, so they prefer a lower profile?

  • Alexandre Carmel-Veilleux says:

    Back in 2005 at REcon in Montreal, Jonathan Westhues presented on his RFID attack/cloning in a bit more detail then the link from Update 6 above.

Comments are closed.