February 27, 2007 9:30 AM PST

Nixed: Black Hat talk on RFID access badge risks

Security researchers have canceled a talk on the flaws of RFID-equipped building access badges after receiving legal threats from a major manufacturer.

Researchers from security services firm IOActive planned to demonstrate that the commonly used identification cards can easily be duplicated, posing a serious risk to those who rely on such systems for security.

The talk, slated for Wednesday at the Black Hat DC Briefings & Training event in Arlington, Va., was canceled Tuesday after IOActive said it received legal threats from HID Global, a major seller of access control systems.

"We can't go forward with the threat of litigation hanging over our small company," Joshua Pennell, IOActive's chief executive, said in a conference call with reporters Tuesday.

HID said in a statement late Tuesday that it did not threaten IOActive to stop its presentation at the Black Hat event.

"HID Global, acting in the best interests of its customers worldwide, simply informed IOActive and its management of the patents that currently protect HID Global intellectual property," the company said.

Additionally, HID said it was surprised that the Black Hat talk was called off and that it was blamed. The company also acknowledged that RFID cards can be cloned.

"It may be possible, under certain conditions, to clone a proximity card," HID said. For added security, use of such cards could be complemented by additional security systems such as cameras and biometrics, it said.

According to IOActive, HID charged that the planned presentation infringed its intellectual property, U.S. patents 5,041,826 and 5,166,676 in particular.

"As a consequence...IOActive has withdrawn its presentation," the company said in a statement on its Web site, declining to give further details about its scrapped conference session.

The concept behind IOActive's presentation is not new. RFID security is regularly scrutinized. In fact, at last year's Black Hat Briefings in Las Vegas, a German security researcher showed how passports equipped with the radio tags could be cloned. The same researcher said this could also be done with building access cards.

Black Hat is getting a reputation for having talks canceled at the last minute because of legal threats. A presentation on vulnerabilities in Cisco Systems' software at the 2005 event in Las Vegas was pulled because of legal threats from the networking giant. The presenter famously delivered his talk anyway.

"I don't like it when really big companies throw their weight around," Jeff Moss, founder of Black Hat conferences, said on the Tuesday conference call. "This threatens the whole conference business."

"It is deja vu," Moss said, referring to Black Hat having to revise parts of its conference materials because of the last-minute change. "It certainly screwed up our conference scheduling."

See more CNET content tagged:
Black Hat, RFID, conference, researcher, threat


Join the conversation!
Add your comment
Once again out of control IP
laws used to stifle what was probably a legitimate speech.
Posted by unknown unknown (1951 comments )
Reply Link Flag
Free Speech?
Worse, yet, what happened to Free Speech? You mean Big Corporations can circumvent the Constitution, Bill of Rights et al?

Nice. :-(

Posted by Rythan (10 comments )
Link Flag
...And what is worse, this type of crap oppresses the research that can make people safer. If this kind of thing is allowed to continue, then the state of security on the net is just going to get a lot worse.

Mike Lynn gets props for his talk, and so does Raven for backing it up at DefCon.
Posted by 0x90 (15 comments )
Link Flag
The big companies don't have to circumvent the Constitution or the Bill of Rights since those only apply to the government.
Posted by helotaxi (1 comment )
Link Flag
Oh well...
They have two options...

1. Some black hat will hack the computer with the powerpoint and distribute it across the internet.

2. They can go visit the HID headquarters. What? You can't get in without an RFID badge. Prize to whoever gets into their server room first.
Posted by TV James (680 comments )
Reply Link Flag
ACLU Speaks Out on RFIDs
Read the full comments made by Nicole Ozer, Technology and Civil Liberties Policy Director of the ACLU of Northern California, about this incident on her blog: <a class="jive-link-external" href="http://www.aclunc.org/issues/technology/bytes_and_pieces/blackhat_presenters_threatened_with_patent_suit_for_exposing_rfid_vulnerabilities.shtml" target="_newWindow">http://www.aclunc.org/issues/technology/bytes_and_pieces/blackhat_presenters_threatened_with_patent_suit_for_exposing_rfid_vulnerabilities.shtml</a>
Posted by ACLU of NorCal (1 comment )
Reply Link Flag
Who's suing who???
Isn't there laws that state: you cannot sell a 'defective' product.
And that would also mean 'false and mis-leading advertising'.
Hmm? That would mean that they (mfg) of such security items
could/would be held accountable.
Just wondering?
Posted by appletoys (23 comments )
Reply Link Flag
They just condemned their own product...
If they have to use the patent system to prevent a discussion on the vulnerabilities that exist within their products then they are admitting these vulnerabilities exist.
With that in mind who would want their products?
If you have to use ancillary security measures to ensure that their product hasn't been hacked then whay not just use mag-cards and have an officer posted at the door?

Surely someone that has the intent on exploiting their product's vulnerabilities to gain access to a building is not going to care about patent litigation.
Posted by fred dunn (793 comments )
Reply Link Flag
ID cardholder can minimize RFID security risks
You can minimize the threat of cloning or eavesdropping in any RFID enabled cards (e.g., ID cards or credit cards).

Smart Tools' RFID Shield is a protective sleeve for RFID cards. This blocks RFID while the card is in the sleeve, and lets RFID talk again when the card is removed.

To have minimal stray RFID communication, you'd keep the ID card in the sleeve until you're next to the reader, then remove the ID card only so far that the reader can read the RFID'd ID card. This keeps long distance (or 3rd party) RFID communication probability low.

Even when the ID card is RFID blocked, the front face of the ID card is still readable. This helps if you need to show your ID card to somebody.

There's more info at:
<a class="jive-link-external" href="http://smarttools.home.att.net/rfshield.htm" target="_newWindow">http://smarttools.home.att.net/rfshield.htm</a>
Posted by smarttools (7 comments )
Reply Link Flag
Why bother with them then?
All you need to do is make sure you have the only key and that nobody ever touches the lock and if you keep the key in a locked box with someone else holding the kay to that box and then you weld the lockbox to the ceiling of another building that someone else has the key to and yoyu have a secret handshake for the people who need to get in to the buildings and the a secret password then every time someone needs access to the bathroom you can be sure they belong there. That's how ludicrous the idea of special sleeves and adding biometrics and talking dogs and crap is. The technology sucks better to not even use it unless of course it's running on Windows Vista in which case it woun't let it work anyay.
Posted by nuckelhedd (70 comments )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.