HID denies RFID demo threat, hackers worry
The company at the center of the storm, HID Global, issued a statement acknowledging that it may be possible to clone a proximity card but insisted it "did not threaten" IOActive researcher Chris Paget to nix the presentation. "Acting in the interests of its customers worldwide, [we] simply informed IOActive and its management of the patents that currently protect HID Global intellectual property," the company said.
"HID Global has the right and responsibility to discourage the publication of any information regarding the improper use of HID's intellectual property, including violations of HID's intellectual property or inducing others to violate HID's intellectual property."
However, as IOActive explained in its own statement, HID Global actually published a white paper (PDF) on its Web site that highlights the potential vulnerabilities in the contactless smart card technology.
This is what IOActive considered a legal threat:
HID Global Corporation learned of our intended briefing, contacted IOActive, and demanded that IOActive refrain from presenting our findings at the BlackHat Convention, on the basis that "such presentation will subject you to further liability for infringement of HID's intellectual property." In HID's view, our proposed presentation on proximity badge technology potentially infringed their patents (U.S. Pat. Nos. 5,041,826 and 5,166,676).
In the past, vendors have used the DMCA (Digital Millennium Copyright Act) and trade secrets (source code) rights to scare off security researchers but, in this case, the use of a patent claim has caused raised eyebrows.
Chris Wysopal, an old-school hacker who used the "Weld Pond" moniker in the days of the L0pht, suggests that the principle of fair use should now apply to patents and vulnerability research:
What is new in this saga is HID is using the threat of patent infringement to prevent people from demonstrating that the technology is insecure. Chris Paget isn't building RFID devices and selling them which would deprive HID revenue. He is alerting the public to security and safety risks of relying on this product. If there is a better example of a fair use critique I would like to hear it," Wysopal argued.
Jennifer Granick, executive director of the Center for Internet and Society at Stanford Law School, finds "bitter irony" in the use of patent infringement claims to foil legitimate research.
Granick, who defended Michael Lynn in the infamous 'Ciscogate' controversy in 2005, writes in a column for Wired:
Patents have been issued for the most trivial of inventions -- there are multiple patents like No. 7,111,753, which grants rights with regard to a piece of paper that goes around a hot cup to stop your hand from getting burned. Combine excessive grants of patent rights with a company's narrow corporate self-interest in maintaining an image, and we have a free speech and security nightmare.
Imagine if, in the 1970s, the tobacco companies had patented devices to measure the health effects of smoking, then threatened lawsuits against anyone who researched their products.
The use of patent law to prevent vulnerability discovery and discussion is bitter irony, because a fundamental purpose of patent law is disclosure: In exchange for the right to exclude others from using, making or selling a novel invention, an inventor agrees to make public all the details. Once issued, patents are a searchable public record, and expire after 20 years...
...This is a case about misusing intellectual property laws to silence critics who want to inform customers and consumers alike that the RFID emperor has no clothes."
Robert Graham, co-founder of Errata Security, believes HID Global's actions is a direct threat to free speech. "However, it's not likely to suppress much. You can get schematics for a device that can be used to break into HIDs systems here, you'll just have to a few hours of extra work without Paget's speech," Graham said.