HID denies RFID demo threat, hackers worry

HID denies RFID demo threat, hackers worry

Summary: Black Hat Diary: IOActive's decision to cancel its RFID hacking demo is the main topic of conversation here as white hat hackers ponder the ramifications of a vendor using patent infringement claims to thwart legitimate security research. The company at the center of the storm, HID Global, issued a statement acknowledging that it may be possible to clone a proximity card but insisted it "did not threaten" IOActive researcher Chris Paget to nix the presentation.

SHARE:
TOPICS: Legal, Security
4
Black Hat Diary: IOActive's decision to cancel its RFID hacking demo is the main topic of conversation here as white hat hackers ponder the ramifications of a vendor using patent infringement claims to thwart legitimate security research.

The company at the center of the storm, HID Global, issued a statement acknowledging that it may be possible to clone a proximity card but insisted it "did not threaten" IOActive researcher Chris Paget to nix the presentation. "Acting in the interests of its customers worldwide, [we] simply informed IOActive and its management of the patents that currently protect HID Global intellectual property," the company said.

"HID Global has the right and responsibility to discourage the publication of any information regarding the improper use of HID's intellectual property, including violations of HID's intellectual property or inducing others to violate HID's intellectual property."

However, as IOActive explained in its own statement, HID Global actually published a white paper (PDF) on its Web site that highlights the potential vulnerabilities in the contactless smart card technology.

This is what IOActive considered a legal threat:

HID Global Corporation learned of our intended briefing, contacted IOActive, and demanded that IOActive refrain from presenting our findings at the BlackHat Convention, on the basis that "such presentation will subject you to further liability for infringement of HID's intellectual property." In HID's view, our proposed presentation on proximity badge technology potentially infringed their patents (U.S. Pat. Nos. 5,041,826 and 5,166,676).

In the past, vendors have used the DMCA (Digital Millennium Copyright Act) and trade secrets (source code) rights to scare off security researchers but, in this case, the use of a patent claim has caused raised eyebrows.

Chris Wysopal, an old-school hacker who used the "Weld Pond" moniker in the days of the L0pht, suggests that the principle of fair use should now apply to patents and vulnerability research:

 

What is new in this saga is HID is using the threat of patent infringement to prevent people from demonstrating that the technology is insecure. Chris Paget isn't building RFID devices and selling them which would deprive HID revenue. He is alerting the public to security and safety risks of relying on this product. If there is a better example of a fair use critique I would like to hear it," Wysopal argued.

 

Jennifer Granick, executive director of the Center for Internet and Society at Stanford Law School, finds "bitter irony" in the use of patent infringement claims to foil legitimate research.

Granick, who defended Michael Lynn in the infamous 'Ciscogate' controversy in 2005, writes in a column for Wired:

 

Patents have been issued for the most trivial of inventions -- there are multiple patents like No. 7,111,753, which grants rights with regard to a piece of paper that goes around a hot cup to stop your hand from getting burned. Combine excessive grants of patent rights with a company's narrow corporate self-interest in maintaining an image, and we have a free speech and security nightmare.

 

Imagine if, in the 1970s, the tobacco companies had patented devices to measure the health effects of smoking, then threatened lawsuits against anyone who researched their products.

The use of patent law to prevent vulnerability discovery and discussion is bitter irony, because a fundamental purpose of patent law is disclosure: In exchange for the right to exclude others from using, making or selling a novel invention, an inventor agrees to make public all the details. Once issued, patents are a searchable public record, and expire after 20 years...

...This is a case about misusing intellectual property laws to silence critics who want to inform customers and consumers alike that the RFID emperor has no clothes."

 

Robert Graham, co-founder of Errata Security, believes HID Global's actions is a direct threat to free speech. "However, it's not likely to suppress much. You can get schematics for a device that can be used to break into HIDs systems here, you'll just have to a few hours of extra work without Paget's speech," Graham said.

Topics: Legal, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Classic crap from the Corporates.....

    Translation: "If you dare tell the truth and make the world aware of how much our product sucks, our attorneys will make your life miserable."

    That's pretty much what it comes down to. The Corporates have no interest or concern in free speech and will work to suppress it in the blink of an eye if they think it might cost them some lost sales.
    shawkins
  • A better way

    Why should hackers worry.
    1) find the vulnerability in crap product.
    2) build a better product.
    3) make lots of money.
    4) the old standby put what you know on a website and let everyone have some fun.
    5) corporations are like having sex with your girl friend who you know your going to dump and using a rubber with a hole in it.
    Sowhatsupyouranus@...
  • Boy has Diebold dropped the ball

    Could you imagine all the bad press any makers of Electronic Voting Machines could have avoided had they just hired the right schiester lawyers to defend them this way? What might this say about the future of Medical Device Development?? "I'm sorry your honor, we can't let this lawsuit come to trial because no matter how the supposed failure of our product may or may not have injured the alleged victim, it would be and infringement of our patent rights to demonstrate how this supposedly occurred in a court of law..."
    ReadWryt (error)
  • RE: HID denies RFID demo threat, hackers worry

    Hackers seem to exist to improve protection ))) and their attacks are a good means to learn about effectiveness of protection))

    ------------------
    <a href="bestnotes.cn/">Best homes</a>
    ilandrona