HID protects its turf
A simple presentation on RFID security by a small consulting firm rapidly snowballed into a news event involving legal threats and the ACLU.
“We partially accomplished our objective, to raise awareness of RFID security,” said Chris Paget, director of research and development at IOActive. “But not in the way we wanted.”
Using information readily available on the Internet along with $20 worth of parts bought on eBay, Paget created a cloning device to duplicate RFID access cards — developed by Irvine, Calif.-based HID Global — that controlled access in and out of his office building. He had planned to discuss the mechanisms and construction of the device in a “RFID for Beginners” talk in February at the Black Hat 2007 security conference, until IOActive received a letter from HID Global alleging that the creation of the device may have infringed upon its patents.
The letter, later posted on the ACLU of Northern California’s Web site, went on to say that presentation and publication of the details concerning the development of the cloning device at Black Hat would subject the company to “further liability.”
Black Hat’s founder and director, Jeff Moss, felt a little déjà vu as IOActive’s printouts were ripped out of briefing books just days before the presentation. “We try to expose vulnerabilities in a vendor-neutral way,” Moss said. “This takes us back to the ‘CiscoGate’ days.”
In 2005, Cisco Systems had threatened to sue a Black Hat presenter for potentially divulging security holes in one of its products and hired temporary staff to rip the presentation from thousands of briefing books.
Why didn’t IOActive get in touch with HID before Paget got busy in the lab? “We didn’t see this as a new issue,” Paget said. “There’s a white paper on HID’s Web site that’s a little over two years old. It states clearly that proximity [RFID] cards can be cloned. … It’s obviously something they’ve known for some time.”
On Feb. 28, IOActive and HID Global fired off a round of statements, with the former announcing the withdrawal of its original presentation from the Black Hat conference, and the latter saying it was surprised by the turn of events. “We did not threaten them to stop the presentation,” said Kathleen Carroll, HID’s director of government relations. “We asked them to amend the presentation so it wouldn’t give specifics protected by patent.”
Carroll added that the company is acutely aware of the ability to clone RFID access cards, but the tripwire was specific documentation of HID’s technology in Paget’s presentation.
“There have been demonstrations of cloning in the past,” Carroll said. “This was the first time our chief technology people were very concerned. It sounded to us in this demonstration that they were going to show source code and schematics, and to us, that was patent infringement.”
According to Carroll, HID doesn’t have a problem with discussing the vulnerabilities of access cards. In fact, in the wake of the IOActive controversy, the company posted an open letter to its customers recommending policies and procedures for protecting existing RFID access cards from compromise.
“I think our company believes that hackers who are responsible do a service,” Carroll said. “But you do that in a responsible way.”
Looking ahead, Paget argues for stronger security measures than simple access cards. “If you just rely on these proximity badges alone, you’re in trouble,” he said. “There are systems like contactless smart cards that can be made secure. Alternatively, combine the RFID card with a second factor layer of authentication, like a PIN pad or a biometric.”
He also points out that cloning RFID access cards isn’t a problem HID can make go away simply by suppressing IOActive’s presentation.
“Anyone with any electronics knowledge can look at the [HID] patent and certainly learn everything they need to construct their own cloner,” Paget said. “And you can consult the various [RFID cloner plans] on line and build it very easily. … [But] we would certainly not recommend anyone else build a cloner because you’ll face the wrath of HID.”
ID-ONLY VERSUS ENCRYPTED RFID TAGS
ID-only tags simply send the same code every time
- Easy to clone
Encrypted tags handshake with the reader
- More difficult to clone
- Many “encrypted” tags can be broken
Active or passive tags can use either method
- ID-only is far more common