UPDATE: Black Hat: Much ado about RFID

Quashed demo to show RFID security holes morphs into disclosure debate.

ARLINGTON, VA – IOActive, a small security consulting company, brought out some big guns to help defend itself against an RFID giant at the Black Hat conference here Wednesday.

Leveraging the American Civil Liberties Union (ACLU) and the U.S. Department of Homeland Security (DHS), IOActive hosted a panel discussion that turned into a pep rally to support the small company’s fight to disclose RFID security flaws that were detailed in a presentation RFID card vendor HID quashed.

IOActive’s director of research and development Chris Paget had originally planned to give a presentation entitled “RFID for Beginners,” containing source code and schematics for building a device that can read RFID cards. The point of the demonstration was to show the security weaknesses of RFID technology, including building access cards made by HID, according to show materials.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

ARLINGTON, VA – IOActive, a small security consulting company, brought out some big guns to help defend itself against an RFID giant at the Black Hat conference here Wednesday.

Leveraging the American Civil Liberties Union (ACLU) and the U.S. Department of Homeland Security (DHS), IOActive hosted a panel discussion that turned into a pep rally to support the small company’s fight to disclose RFID security flaws that were detailed in a presentation RFID card vendor HID quashed.

IOActive’s director of research and development Chris Paget had originally planned to give a presentation entitled “RFID for Beginners,” containing source code and schematics for building a device that can read RFID cards. The point of the demonstration was to show the security weaknesses of RFID technology, including building access cards made by HID, according to show materials.

Following what IOActive described as threats of legal action from HID regarding patent infringement leading up to the conference, Paget instead gave an edited version of its presentation, eliminating portions regarding security flaws in the RFID. The presentation, which ended up being a basic explanation of how RFID works, was followed by a panel discussion with speeches from the ACLU regarding the security and privacy issues surrounding RFID and from DHS’ US Computer Emergency Readiness Team (US CERT) about the importance of disclosing security flaws in technology.

IOActive says its intent in preparing the original presentation was simply to illustrate the security weaknesses found in RFID tags that are widely used today for building access, on highways to pay tolls, and even to find lost pets. One of the types of cards that Paget’s cloner can read are made by HID.

“The whole goal of this presentation was to get the information out there about how easy it is to clone these cards,” said Paget.

HID caught wind of IOActive’s plans and asked the small company to specify exactly what it would present. When IOActive refused – believing that RFID security flaws had been well-known for a few years and therefore it didn’t need HID’s permission to give the presentation, according to company executives – HID would not sign a document promising no legal action. Fearing the expense and time of a legal entanglement, IOActive backed off.

While HID did not send any legal letters to Black Hat threatening action of the presentation was made, the show organizer appeared to be on the side of IOActive.

“Black Hat is really all about responsible disclosure,” which means presenters must let a vendor know ahead of time if their talk targets the vendor’s products, said Jeff Moss, founder and director of Black Hat, now owned by CMP. HID, represented by a sole executive at the conference, claims IOActive failed to make such disclosure.

“IOActive made no notification because [RFID security flaws] are a two- to five-year-old problem; there was no disclosure here because it was a known vulnerability,” said Moss.

Apparently IOActive called on the ACLU to lend its voice regarding RFID security flaws during the presentation. Nicole Ozer, technology and civil liberty policy director with the ACLU of Northern California in San Francisco, talked during Paget’s presentation about the group’s work to limit the use of unsecured RFID technology specifically in areas that would compromise public privacy and security, such as in drivers’ IDs and passports.