Ryan Naraine gives details on why a talk about RFID security was canceled at Black Hat.
In short, IOActive’s Chris Paget’s plan to explain why RFID technology is “insecure and untrustworthy” was nixed after secure card maker HID Corp. raised objections in a letter that claims possible patent infringement. Infoworld's Paul Roberts also reported the legal roadblock. In Naraine's update he gives highlights over a conference call on the issues.
Black Hat has gone corporate and it's a handicap. CMP now owns the show, but rest assured if this conference was still underground this legal mumbo jumbo wouldn't have occurred.
Any discussion about real security issues can be muzzled by cease and desist letters by some vendor worried about its perception. Jeff Moss, founder of Black Hat, said:
"It really surprised us that HID got really excited about this. It has snowballed into shades of a [Michael Lynn-type] scenario where cease-and-desist letters are circulating. I don’t like having speakers intimidated so the prudent approach now is to just get out of the way of this speeding train. CMP and Black Hat were not threated by HID but we have to be mindful of the threats against IOActive. They are a small security research company and we have to support them."
Memo to HID: Your perception just took a hit even though your patent didn't.
RFID security is now a front-burner issue. I've written about RFID a bunch and always thought the privacy issues related to tagging were a red herring. Now there's an issue--intercepting data on inventory whereabouts and getting inside corporate operations is very interesting. Just how big of an issue is RFID security?