Legal threat forces cancellation of Black Hat RFID hacking demo

Legal threat forces cancellation of Black Hat RFID hacking demo

Summary: Another Black Hat conference, another vulnerability disclosure brouhaha. IOActive's Chris Paget's plan to explain why RFID technology is "insecure and untrustworthy" has run into a legal brick wall.

SHARE:
TOPICS: Security
30
[UPDATE: February 27, 2007 at 10:31 AM Eastern] Black Hat's Jeff Moss just announced that the talk has been cancelled. More to come...

[See 12:18 PM update at the bottom for details on the patent infringement claims]

Another Black Hat conference, another vulnerability disclosure brouhaha.

IOActive's Chris Paget's plan to explain why RFID technology is "insecure and untrustworthy" has run into a legal stumbling block after secure card maker HID Corp. raised objections in a letter that claims possible patent infringement.

InfoWorld's Paul Roberts is reporting that HID sent a letter to IOActive ahead of tomorrow's Black Hat Federal demo, a strong hint that the company might attempt to block Paget's presentation.

So far, no legal action has been taken against IOActive, Paget or CMP Media, the owners of the Black Hat confab. "We're prepared for the worst," said conference organizer Jeff Moss.

Kathleen Carroll, a spokeswoman for HID, confirmed that a letter was sent to IOActive.

In a strange twist, Carroll acknowledged that HID is aware that its RFID proximity cards are vulnerable to hacking attacks but the company's argument is that Paget is overblowing the severity of risk. "These systems are installed all over the place. It's not just HID, but lots of companies, and there hasn't been a problem. Now we've got a person who's saying let's get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where's the sense of responsibility?" Carroll said.

According to the article, HID is also concerned that Paget's demonstration will "popularize the vulnerabilities in its proximity cards and endanger its many customers."

She did not say why the company has not fixed these well-known vulnerabilities.

Here's a brief synopsis of Paget's planned presentation:

 

RFID for Beginners

 

RFID tags are becoming more and more prevalent. From access badges to implantable Verichips, RFID tags are finding more and more uses. Few people in the security world actually understand RFID though; the "radio" stuff gets in the way. This presentation aims to bridge that gap, by delivering sufficient information to design and build a working RFID cloner based around a single chip - the PIC16F628A.

Assuming no initial knowledge of electronics, I'll explain everything you need to know in order to build a working cloner, understand how it works, and see exactly why RFID is so insecure and untrustworthy. Covering everything from Magnetic Fields to Manchester Encoding, this presentation is suitable for anyone who is considering implementing an RFID system, considering hacking an RFID system, or who just wants to know a little more about the inductively coupled, ASK modulated, back scattering system known as RFID.

 

The Black Hat conference organizers are accustomed to dealing with these flaw disclosure debates. In August 2005, Cisco sued hacker Michael Lynn for discussing holes in Cisco IOS, reigniting a flaw disclosure debate that doesn't seem to have an end. At last year's Black Hat Federal, David Litchfield's "Breakable" presentation triggered a backlash from Oracle because it exposed a serious flaw that had not been fixed for months.

[UPDATE: February 27, 2007 at 12:18 PM Eastern]

Highlights from a conference call this morning with IOActive president Joshua Pennell, Black Hat founder Jeff Moss, IOActive researcher Chris Paget and Nicole Ozer, technology and civil liberties policy director at the ACLU of Northern California:

Jeff Moss, Black Hat:
When we accepted Chris' talk, we thought it was a really nice ground-up presentation that would have been capped off by a great demo of all the principles of RFID and the security implications. He was not only going to talk about the implications, but he was going to show them, give the audience members something visua.

It really surprised us that HID got really excited about this. It has snowballed into shades of a [Michael Lynn-type] scenario where cease-and-desist letters are circulating. I don't like having speakers intimidated so the prudent approach now is to just get out of the way of this speeding train. CMP and Black Hat were not threated by HID but we have to be mindful of the threats against IOActive. They are a small security research company and we have to support them.

That means that we will pull the talk from the show. We will swap in an alternative talk from the ACLU and another researcher around the criticality of RFID security.

Josh Pennell, IOActive:
We didn't know about HID's patents. We fully respect their IP rights and we strongly urge anyone looking into technology not to infringe on anyone's patents. In this case, we were exploring RFID from a security perspective and we launched an R&D effort to understand the potential risks. We found possible ways to read security codes transmitted by RFID proximity. This is not a new attack, it has been discussed before in detail. We just wanted to bring it to the public's attention that these "prox" badges are not the be-all and end-all of physical security.

Given the threat of pending litigation, we had no choice but to cancel the talk. We tried negotiating with HID but it was going nowhere. There was no middle ground to be had so the negotiations have ended. We tried our best for 12 straight hours, up until 5 o'clock this morning but nothing worked. With the threat of litigation over our small company, I can't move forward and talk about anything related to our presentation.

HID keps making more legal assertions, putting IOActive at more risk. Our intent has always been to further research into security risks. We've always acted responsibly in the past and we will act responsibly in the future.

[NOTE: IOActive was one of the companies hired by Microsoft to conduct third-party pen tests attacks against Windows Vista.

Chris Paget, IOActive
The issue surrounds a device I built with about $20 worth of off-the-shelf electronic parts. Most of the parts came off eBay. It's not complicated at all, in fact I was going to explain everything about it in a 75-minute presentation.

It took me about a month to build, and that included time to relearn the electronics [of building an AM radio]. Our concern is that there are critical national infrastructure being protected by this proximity technology while there are some grave problems. Our intent is to disseminate information to allow people to make an informed decision about the risks associated with using RFID technology.

We have been prevented by HID from discussion that, by a legal threat.

We'll put the cloner into a trust until this issue if fully settled.

[NOTE: Apple co-founder Steve Wozniak owns a prototype of Paget's cloner. Asked about the future of that device, in the face of the pending litigation, Pennell offered a "no comment."

Nicole Ozer, ACLU
While we fully support the enforcement of patent laws, free speech must be protected. We can't allow certain rights to be trampled by overzealous use of IP law. Discouraging IOActive from making this presentation has some of most grave consequences. The Department of Homeland Security is expected to release RealID regulations that will dictate what type of machine-readable technology will be in drivers' licenses and that includes RFID chips. There are real privacy and security implications at play here.

This type of research is critical. The use of RFID tags in identity documents mean that if you're walking down street, participating in political rally, etc., anyone with an RFID scanner can read the personal info stored on an insecure RFID chip without the target ever knowing. That information can be misuses to improperly track your movements, obtain personal info, including your name and physical address. There are real serious issues with serious implications.

Jeff Moss, Black Hat:
The action by HID is a threat to the conference business. It will reach a point where everything will be dumbed-down and everything we can discuss will come from a sales sheet from a product manufacturer. I don't like it at all, it doesn't bode well for security research.

The security industry needs some civility. It really doesn't show goodwill when a company with a lot of resources can unleash attorneys on a small researcher. It turned into a giant mess for Cisco [with the Michael Lynn controversy] but other companies haven't learned that lesson yet.

You can make the argument that all research infringes on some patent somewhere. This threatens the entire conference business. Pretty soon, I'll have to only accept speeches from people who put up bonds, or from the mega-corporations that have resources to stare down a legal threat.

We were not threatened by HID. But, we have to fully support IOActive so, when they said that trouble is looming, we decided to pull the talk and remove all the conference material.

It was like déjà vu all over again. We had to rip pages out of the conference handbook. Josh got notice a few days ago and there was no time to come up with many options. I don't know if it was part of HID's strategy to drop the bomb at the last minute but this doesn't bode well for the future of independent security research and that's what really pisses me off.

[NOTE: HID is claiming infringement of two patents -- #5,041,826 and #5,166,676. The inventor listed in the patents, Thomas Milheiser, is also credited with a third RFID-related patent (#4,730,188)

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

30 comments
Log in or register to join the discussion
  • Security through obscurity never works...

    They should have learned that by now one would hope. It doesnt matter if he talks about it or not, there are lots of people who already know it's weakness and how to profit by them !!!!!
    mrlinux
  • Call me confused

    I don't get it, how can exposing the security risks of a product possibly be patent infringment.

    We has natinal organization & magazines whose whole purpose for existing is to test, evaluate & publish reviews of products. If disclosing flaws is a patent infringment then these companies could only publish positive reviews. Doesn't sound like a good consumer protection policy to me.

    Bjorn A Freeman
    bjornafreeman@...
    • Patent Judge, Jury and Executioner!

      [i]"don't get it, how can exposing the security risks of a product possibly be patent infringment."[/i]

      You have it backwards.

      The patent system allows the patent holder to determine who can licence or use a patented product. If they don't want the demo to happen then they can simply declare that [i]"if company xxxxx uses the product then they are infringing our IP"[/i] and they don't have to give a reason either.

      If the demo goes ahead then they can ask for wilful infringement (= triple rate) damages and set an arbitrary amount as to what the claim should be. The only latitude the Judge would get would be in determining the size of the claim.
      bportlock
      • Freedom of speech

        When did patent law supercede the 1st Amendment's guarentees of freedom of speech or freedom of the press. Once you've allowed me to purchase your product I'm free to tell the whole world whether I thought it was a good product or a flawed product. You can't tell me to shut up because you have a patent on the product.

        Bjorn A Freeman
        bjornafreeman@...
      • Correct, But only up to a point

        they can not determine who can purchase the end product. The license applies to the technology itself: to incorporate it into some other product would require a [i]license[/i], but has no bearing on how the end user can use it themselves unless they had signed a license themselfs.

        And the [i]patent[/i] can not say who gets to use it, only that the technology or process is owned and requires a license to be "reproduced"

        Once I buy that shippiong label at Staples with an RFID chip in it I can pretty much do whatever I want with it, as long as I do not break other laws by using it in a different way (use it to stalk someone, unlawfull recording, ect) If I use it to track where my CD's are in the house, there is nothing the patent holder or license holder can do.
        John Zern
        • pick your point

          Pick your point with in the circle of this argument {HIDvsBlackHat] round and round it goes.
          Completely off topic: In the late 60's, how much did the EPA say it was going to cost to fix industrial waste issues?
          stemcellphone
    • Might not be patent infringement according to USPTO

      According the United States Patent and Trademark Office (USPTO),
      http://www.uspto.gov/web/offices/pac/doc/general/index.html#patent

      [i][b]What Is a Patent?[/b]

      A patent for an invention is the grant of a property right to the inventor, issued by the United States Patent and Trademark Office. Generally, the term of a new patent is 20 years from the date on which the application for the patent was filed in the United States or, in special cases, from the date an earlier related application was filed, subject to the payment of maintenance fees. U.S. patent grants are effective only within the United States, U.S. territories, and U.S. possessions. Under certain circumstances, patent term extensions or adjustments may be available.

      The right conferred by the patent grant is, in the language of the statute and of the grant itself, ?the right to exclude others from making, using, offering for sale, or selling? the invention in the United States or ?importing? the invention into the United States. What is granted is not the right to make, use, offer for sale, sell or import, but the right to exclude others from making, using, offering for sale, selling or importing the invention. Once a patent is issued, the patentee must enforce the patent without aid of the USPTO. [/i]

      The only part that may be of issue is the limitation on use. But if he shows the build but doesn't quite demo it, it wouldn't be use.

      I don't see how this could be a patent infringement.

      Dan
      Dan__
      • Unfortunately right and wrong don't come into play

        Whether he has a right to speak about it or not isnt the problem,
        the issue boils down it will cost to defend the action and win or loose it still cost them money, so they took the cheap way out.

        I believe they should have done the demo and called their bluff, but it's not my money
        mrlinux
  • Sounds like the big tobacco companies...

    [i]In a strange twist, Carroll acknowledged that HID is aware that its RFID proximity cards are vulnerable to hacking attacks but the company?s argument is that Paget is overblowing the severity of risk. ?These systems are installed all over the place. It?s not just HID, but lots of companies, and there hasn?t been a problem. Now we?ve got a person who?s saying let?s get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where?s the sense of responsibility?? Carroll said.[/i]

    Some smokers may get respiratory problems, but it's no big deal. People everywhere smoke. Lots of other companies sell tobacco products...blah blah blah

    Carroll ends with "Where?s the sense of responsibility?? while not elaborating on why her company has not fixed the well known vulnerabilities.

    If this article makes a mainstream publication, then her quote may attract another form of publicity for her company, and her bosses won't like it.
    Taz_z
    • Useless products deserve to crash and burn!

      [i]"Kathleen Carroll, a spokeswoman for HID ... [said] 'These systems are installed all over the place. It?s not just HID, but lots of companies, and there hasn?t been a problem. Now we?ve got a person who?s saying let?s get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where?s the sense of responsibility?'"[/i]

      So from her point of view the product can be kept secure if no one is allowed to tell what the whopping great insecurity is? And that's responsible is it? I don't think so - it's just bl**dy stupid!

      Anyone who shows that a security product is totally inadequate deserves a prize because they are doing us all a favour.
      bportlock
  • Where's the Sense of Responsibility ?

    Oh the irony.

    "Carroll acknowledged that HID is aware that its RFID proximity cards are vulnerable to hacking attacks"

    "She did not say why the company has not fixed these well-known vulnerabilities."

    ""Where?s the sense of responsibility?? Carroll said."

    The arrogance and stupidity of HID astounds me.
    magcomment
    • HID on my access card!

      Guess this world is a fools paradise! My fortune 500 company gave me a HID badge to access the office!:)
      smartyram
      • Fortune 500? Try DoD!

        HID has a very large customer base in the DoD, and they're just panicking that they can lose future business with them. Proximity badges by HID and Schlumberger are ubiquitous at secure complexes withing the federal government and DoD.

        This is just pure over-reaction on their part. They think they'll be able to close the barn door, but the horse's hooves are preventing it from closing all the way... The weaknessess will be revealed - in fact, I'll just have to go peruse Google and see what's already in the public domain!
        NetArch.
  • Is HID liable?

    Does this mean that HID is knowingly selling a defective product that is unsuited to its intended purpose?

    Legal sleezeball minds want to know...
    wolf_z
    • I think they are

      If they want to start threatening researchers, there needs to be a class action filed on their defective products.
      georgeou
  • Does anyone?

    My understanding of RFID is that it basically "stores a number that can be read back in near proximity". For instance, the ID badge usage; If you have an RFID chip activated badge, this "cloner" technology WOULD render the badge itself insecure; anyone with the proper tech could read the number and clone the badge. However, if you have an RFID chip in your drivers license, all the cloner would do is give you the "Authentication number"; he would need access to a (hopefully) secured database in order to be able to access things like name & address, and therefore would not be able to "forge" a drivers license-although he could duplicate the RFID chip, he would have no way of accessing all the other data that is present on the license.
    justanitguy
    • toolbox Does anyone?

      "need access to a (hopefully) secured database"
      No examples of this around to display here.
      stemcellphone
  • No more confused than me

    I thought full disclosure was a condition of receiving a patent. So how can revealing any information about the patent be a violation?

    Also, the patent has to be pretty trivial to be violated by assembling a few off the shelf parts.
    kmatzen@...
  • HID threatens Black Hat RFID... on behalf of Big Brother.

    "Patent infringements."

    Right. ;)

    More like, lucrative government contracst at stake for HID. Not to mention all those juicy tax breaks, and the satisfaction that only they (HID) can become an official part of the D'uh'bya domestic-invasion-of-privacy program.

    "Patent infringements." If you believe that, I'd like to sell you some prime oceanfront real estate in Colorado. :p
    Mr. Roboto
  • I guess the truth hurts....

    big companies. With big lawyers. So they win.
    BitTwiddler