Nixed: Black Hat talk on RFID access badge risks

update Security researchers have canceled a talk on the flaws of RFID-equipped building access badges after receiving legal threats from a major manufacturer.

Researchers from security services firm IOActive planned to demonstrate that the commonly used identification cards can easily be duplicated, posing a serious risk to those who rely on such systems for security.

The talk, slated for Wednesday at the Black Hat DC Briefings & Training event in Arlington, Va., was canceled Tuesday after IOActive said it received legal threats from HID Global, a major seller of access control systems.

"We can't go forward with the threat of litigation hanging over our small company," Joshua Pennell, IOActive's chief executive, said in a conference call with reporters Tuesday.

HID said in a statement late Tuesday that it did not threaten IOActive to stop its presentation at the Black Hat event.

"HID Global, acting in the best interests of its customers worldwide, simply informed IOActive and its management of the patents that currently protect HID Global intellectual property," the company said.

Additionally, HID said it was surprised that the Black Hat talk was called off and that it was blamed. The company also acknowledged that RFID cards can be cloned.

"It may be possible, under certain conditions, to clone a proximity card," HID said. For added security, use of such cards could be complemented by additional security systems such as cameras and biometrics, it said.

According to IOActive, HID charged that the planned presentation infringed its intellectual property, U.S. patents 5,041,826 and 5,166,676 in particular.

"As a consequence...IOActive has withdrawn its presentation," the company said in a statement on its Web site, declining to give further details about its scrapped conference session.

The concept behind IOActive's presentation is not new. RFID security is regularly scrutinized. In fact, at last year's Black Hat Briefings in Las Vegas, a German security researcher showed how passports equipped with the radio tags could be cloned. The same researcher said this could also be done with building access cards.

Black Hat is getting a reputation for having talks canceled at the last minute because of legal threats. A presentation on vulnerabilities in Cisco Systems' software at the 2005 event in Las Vegas was pulled because of legal threats from the networking giant. The presenter famously delivered his talk anyway.

"I don't like it when really big companies throw their weight around," Jeff Moss, founder of Black Hat conferences, said on the Tuesday conference call. "This threatens the whole conference business."

"It is deja vu," Moss said, referring to Black Hat having to revise parts of its conference materials because of the last-minute change. "It certainly screwed up our conference scheduling."

[unknown unknown]

Once again out of control IP

laws used to stifle what was probably a legitimate speech.

[TV James]

Oh well...

They have two options...

1. Some black hat will hack the computer with the powerpoint and distribute it across the internet.

2. They can go visit the HID headquarters. What? You can't get in without an RFID badge. Prize to whoever gets into their server room first.

[ACLU of NorCal]

ACLU Speaks Out on RFIDs

Read the full comments made by Nicole Ozer, Technology and Civil Liberties Policy Director of the ACLU of Northern California, about this incident on her blog: http://www.aclunc.org/issues/technology/bytes_and_pieces/blackhat_presenters_threatened_with_patent_suit_for_exposing_rfid_vulnerabilities.shtml

[appletoys]

Who's suing who???

Isn't there laws that state: you cannot sell a 'defective' product.
And that would also mean 'false and mis-leading advertising'.
Hmm? That would mean that they (mfg) of such security items
could/would be held accountable.
Just wondering?

[fred dunn]

They just condemned their own product...

If they have to use the patent system to prevent a discussion on the vulnerabilities that exist within their products then they are admitting these vulnerabilities exist.
With that in mind who would want their products?
If you have to use ancillary security measures to ensure that their product hasn't been hacked then whay not just use mag-cards and have an officer posted at the door?

Surely someone that has the intent on exploiting their product's vulnerabilities to gain access to a building is not going to care about patent litigation.

[smarttools]

ID cardholder can minimize RFID security risks

You can minimize the threat of cloning or eavesdropping in any RFID enabled cards (e.g., ID cards or credit cards).

Smart Tools' RFID Shield is a protective sleeve for RFID cards. This blocks RFID while the card is in the sleeve, and lets RFID talk again when the card is removed.

To have minimal stray RFID communication, you'd keep the ID card in the sleeve until you're next to the reader, then remove the ID card only so far that the reader can read the RFID'd ID card. This keeps long distance (or 3rd party) RFID communication probability low.

Even when the ID card is RFID blocked, the front face of the ID card is still readable. This helps if you need to show your ID card to somebody.

There's more info at:
http://smarttools.home.att.net/rfshield.htm