Tuesday, February 27, 2007

Legal Threats Kill RFID Talk at BH Federal

Via SecurityFocus & ZD Net Blog -

A security researcher scheduled to present information on issues with radio-frequency identification (RFID) technology at the Black Hat Federal conference this week was silenced by security technology giant HID Global, which claimed the presentation would violate its intellectual property.

The presentation would have described the technical foundations of RFID technology and demonstrate the security problems with contactless RFID, showing off a device capable of cloning HID cards, said the would-be presenter, Chris Paget, director of research and development for security firm IOActive. The device is similar to other RFID cloners and was built using $20 in parts bought on Ebay, Paget said.

"In terms of the electronics, it is not any more complicated than a Furby," Paget said. "This isn't something new we are doing. HID has known about this for at least two years."

...

"There is critical national infrastructure being protected by these things (RFID chips)," IOActive's Paget said. "There is a lot of misunderstanding in the industry regarding the security of these things. Our intent was to disseminate information so that people can make a knowledgeable decision about deploying RFID."

Whether the letter sent to IOActive and the subsequent discussions, which halted at 5 a.m. Tuesday with no agreement between the companies, constituted a legal threat appears to be a matter of debate. HID Global did not ask IOActive to refrain from giving the presentation, but asked that any schematics and source code belonging to the company not be distributed, Kathleen Carroll, HID's director of government relations, told SecurityFocus.

"We did not threaten IOActive with a lawsuit, if they went forward with the presentation," Carroll said. "We were in talks with them throughout the night to try and resolve this with them. We merely wanted them to modify the presentation."

...

Carroll, who spoke with SecurityFocus from a conference in Washington D.C. on deploying such technology for identification cards, said that IOActive's attack amounted to a theoretical threat, not a real-world risk. Two weeks ago, IOActive demonstrated that it could clone RFID cards at the RSA Security Conference in San Francisco. However, Carroll maintained that in the real world, the attack would not be subtle or, likely, feasible.

"You don't see (Paget) walking by somebody," Carroll said. "Someone handed him the card. It has to get within 2 to 3 inches of the reader and it has to be in the same plane as the reader."

For IOActive's CEO Josh Pennell, the threat of a lawsuit filed by HID seemed to be a real possibility, he told reporters during a conference call on Tuesday. The technology giant has claimed that teaching others about RFID devices violates two of the company's patents, Pennell said. On the advice of lawyers, IOActive's chief would not describe other details about the claims.

"If I say anything, HID will sue us," he said. "Large companies have lots of resources, and small companies, such as IOActive, don't."

The relevant presentation has been ripped out of the conference proceedings, according to Jeff Moss, the founder of Black Hat. The presentation will be replaced with a policy discussion about RFID insecurity and national identification.

This is not the first time that computer professionals have been threatened by lawsuits," said Nicole Ozer, technology and civil liberties policy director at the American Civil Liberties Union (ACLU) of Northern California. "We feel that discouraging IOActive ... may have the most grave consequences."

Ozer pointed out that, on Friday, the U.S. Department of Homeland Security is scheduled to present the specifications for next-generation driver's licenses and could include RFID technology,. The inclusion of the problematic technology could result in U.S. citizens having their information stolen, leading to identity fraud and possibly endangering people.

"At this junction, it is particularly important that the government and consumers have all the information possible regarding RFID security," Ozer said.

----------------------------------

So HID Global wants us to believe that the IOActive's talk is just "smoke & mirrors" and isn't even likely feasible, however...they force them to change their talk and the use the rumor of legal threats.

Does anyone see the disconnect here? I know I do.

HID Global wants us to "ignore the man behind the curtain" and you know what? I am not going to do that.

No comments:

Post a Comment