Legal threat forces cancellation of Black Hat RFID hacking demo

Another Black Hat conference, another vulnerability disclosure brouhaha. IOActive's Chris Paget's plan to explain why RFID technology is "insecure and untrustworthy" has run into a legal brick wall.
Written by Ryan Naraine, Contributor
[UPDATE: February 27, 2007 at 10:31 AM Eastern] Black Hat's Jeff Moss just announced that the talk has been cancelled. More to come...

[See 12:18 PM update at the bottom for details on the patent infringement claims]

Another Black Hat conference, another vulnerability disclosure brouhaha.

IOActive's Chris Paget's plan to explain why RFID technology is "insecure and untrustworthy" has run into a legal stumbling block after secure card maker HID Corp. raised objections in a letter that claims possible patent infringement.

InfoWorld's Paul Roberts is reporting that HID sent a letter to IOActive ahead of tomorrow's Black Hat Federal demo, a strong hint that the company might attempt to block Paget's presentation.

So far, no legal action has been taken against IOActive, Paget or CMP Media, the owners of the Black Hat confab. "We're prepared for the worst," said conference organizer Jeff Moss.

Kathleen Carroll, a spokeswoman for HID, confirmed that a letter was sent to IOActive.

In a strange twist, Carroll acknowledged that HID is aware that its RFID proximity cards are vulnerable to hacking attacks but the company's argument is that Paget is overblowing the severity of risk. "These systems are installed all over the place. It's not just HID, but lots of companies, and there hasn't been a problem. Now we've got a person who's saying let's get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where's the sense of responsibility?" Carroll said.

According to the article, HID is also concerned that Paget's demonstration will "popularize the vulnerabilities in its proximity cards and endanger its many customers."

She did not say why the company has not fixed these well-known vulnerabilities.

Here's a brief synopsis of Paget's planned presentation:


RFID for Beginners


RFID tags are becoming more and more prevalent. From access badges to implantable Verichips, RFID tags are finding more and more uses. Few people in the security world actually understand RFID though; the "radio" stuff gets in the way. This presentation aims to bridge that gap, by delivering sufficient information to design and build a working RFID cloner based around a single chip - the PIC16F628A.

Assuming no initial knowledge of electronics, I'll explain everything you need to know in order to build a working cloner, understand how it works, and see exactly why RFID is so insecure and untrustworthy. Covering everything from Magnetic Fields to Manchester Encoding, this presentation is suitable for anyone who is considering implementing an RFID system, considering hacking an RFID system, or who just wants to know a little more about the inductively coupled, ASK modulated, back scattering system known as RFID.


The Black Hat conference organizers are accustomed to dealing with these flaw disclosure debates. In August 2005, Cisco sued hacker Michael Lynn for discussing holes in Cisco IOS, reigniting a flaw disclosure debate that doesn't seem to have an end. At last year's Black Hat Federal, David Litchfield's "Breakable" presentation triggered a backlash from Oracle because it exposed a serious flaw that had not been fixed for months.

[UPDATE: February 27, 2007 at 12:18 PM Eastern]

Highlights from a conference call this morning with IOActive president Joshua Pennell, Black Hat founder Jeff Moss, IOActive researcher Chris Paget and Nicole Ozer, technology and civil liberties policy director at the ACLU of Northern California:

Jeff Moss, Black Hat:
When we accepted Chris' talk, we thought it was a really nice ground-up presentation that would have been capped off by a great demo of all the principles of RFID and the security implications. He was not only going to talk about the implications, but he was going to show them, give the audience members something visua.

It really surprised us that HID got really excited about this. It has snowballed into shades of a [Michael Lynn-type] scenario where cease-and-desist letters are circulating. I don't like having speakers intimidated so the prudent approach now is to just get out of the way of this speeding train. CMP and Black Hat were not threated by HID but we have to be mindful of the threats against IOActive. They are a small security research company and we have to support them.

That means that we will pull the talk from the show. We will swap in an alternative talk from the ACLU and another researcher around the criticality of RFID security.

Josh Pennell, IOActive:
We didn't know about HID's patents. We fully respect their IP rights and we strongly urge anyone looking into technology not to infringe on anyone's patents. In this case, we were exploring RFID from a security perspective and we launched an R&D effort to understand the potential risks. We found possible ways to read security codes transmitted by RFID proximity. This is not a new attack, it has been discussed before in detail. We just wanted to bring it to the public's attention that these "prox" badges are not the be-all and end-all of physical security.

Given the threat of pending litigation, we had no choice but to cancel the talk. We tried negotiating with HID but it was going nowhere. There was no middle ground to be had so the negotiations have ended. We tried our best for 12 straight hours, up until 5 o'clock this morning but nothing worked. With the threat of litigation over our small company, I can't move forward and talk about anything related to our presentation.

HID keps making more legal assertions, putting IOActive at more risk. Our intent has always been to further research into security risks. We've always acted responsibly in the past and we will act responsibly in the future.

[NOTE: IOActive was one of the companies hired by Microsoft to conduct third-party pen tests attacks against Windows Vista.

Chris Paget, IOActive
The issue surrounds a device I built with about $20 worth of off-the-shelf electronic parts. Most of the parts came off eBay. It's not complicated at all, in fact I was going to explain everything about it in a 75-minute presentation.

It took me about a month to build, and that included time to relearn the electronics [of building an AM radio]. Our concern is that there are critical national infrastructure being protected by this proximity technology while there are some grave problems. Our intent is to disseminate information to allow people to make an informed decision about the risks associated with using RFID technology.

We have been prevented by HID from discussion that, by a legal threat.

We'll put the cloner into a trust until this issue if fully settled.

[NOTE: Apple co-founder Steve Wozniak owns a prototype of Paget's cloner. Asked about the future of that device, in the face of the pending litigation, Pennell offered a "no comment."

Nicole Ozer, ACLU
While we fully support the enforcement of patent laws, free speech must be protected. We can't allow certain rights to be trampled by overzealous use of IP law. Discouraging IOActive from making this presentation has some of most grave consequences. The Department of Homeland Security is expected to release RealID regulations that will dictate what type of machine-readable technology will be in drivers' licenses and that includes RFID chips. There are real privacy and security implications at play here.

This type of research is critical. The use of RFID tags in identity documents mean that if you're walking down street, participating in political rally, etc., anyone with an RFID scanner can read the personal info stored on an insecure RFID chip without the target ever knowing. That information can be misuses to improperly track your movements, obtain personal info, including your name and physical address. There are real serious issues with serious implications.

Jeff Moss, Black Hat:
The action by HID is a threat to the conference business. It will reach a point where everything will be dumbed-down and everything we can discuss will come from a sales sheet from a product manufacturer. I don't like it at all, it doesn't bode well for security research.

The security industry needs some civility. It really doesn't show goodwill when a company with a lot of resources can unleash attorneys on a small researcher. It turned into a giant mess for Cisco [with the Michael Lynn controversy] but other companies haven't learned that lesson yet.

You can make the argument that all research infringes on some patent somewhere. This threatens the entire conference business. Pretty soon, I'll have to only accept speeches from people who put up bonds, or from the mega-corporations that have resources to stare down a legal threat.

We were not threatened by HID. But, we have to fully support IOActive so, when they said that trouble is looming, we decided to pull the talk and remove all the conference material.

It was like déjà vu all over again. We had to rip pages out of the conference handbook. Josh got notice a few days ago and there was no time to come up with many options. I don't know if it was part of HID's strategy to drop the bomb at the last minute but this doesn't bode well for the future of independent security research and that's what really pisses me off.

[NOTE: HID is claiming infringement of two patents -- #5,041,826 and #5,166,676. The inventor listed in the patents, Thomas Milheiser, is also credited with a third RFID-related patent (#4,730,188)

Editorial standards