RFID maker gags security researcher

Security consultancy firm IOActive has cancelled a planned RFID hacking demonstration at the Black Hat security show in Washington this week after pressure from RFID vendor HID Global. 

The presentation was scheduled to cover the security challenges associated with radio frequency identification technology.

IOActive intended to show off a home-built RFID cloner, a simple device that is able to pick up and copy the RFID signal from a key card.

A criminal could use such a device to copy an electronic door key, for example, and gain access to secured areas.

"The concepts behind this attack are not new. Indeed, most of our efforts in validating the effectiveness and ease of this attack involved reviewing research already performed by others in this area," said IOActive president Joshua Pennell.

He pointed out that HID Global has itself highlighted vulnerabilities in its proximity badge technologies in company marketing material.

"As a consequence, and under advice of counsel, IOActive has withdrawn its presentation at the Black Hat Briefings in order to address the demands of HID Global, and to protect IOActive's researchers from adverse action," said Pennell.

Kathleen Carroll, director of government relations at HID Global, claimed that the company was not looking to gag the researchers and did not object to the demonstration in general.

HID Global had requested only that IOActive perform the demonstration in a way that would not infringe on its intellectual property, according to Carroll.

"We gave them an opportunity to give a demonstration, and we gave them guidelines so that they could go ahead and do the demo," Carroll told vnunet.com.

"HID Global has never denied that there was not an opportunity for the cards to be cloned." 

The case has echoes of Cisco's legal strong-arming against an ISS researcher in July 2005. ISS has since been acquired by IBM.

Former ISS researcher Michael Lynn was hit with a restraining order at the 2006 Black Hat conference in Las Vegas after he demonstrated how to use a known security exploit in Cisco's Internet Operating System (IOS) to bring down a router.

Lynn was originally scheduled to give the presentation as an ISS employee. After the security company made a last minute decision to cancel the talk, Lynn quit his job and proceeded with the presentation.

Cisco's legal case was built around the fact that ISS had infringed on its intellectual property by reverse engineering IOS code. Reverse engineering is illegal under the Digital Millennium Copyright Act.

Cisco later said that it did not object to the research, but took issue with the fact that the presentation could have helped attackers to hit Cisco customers' networks.

Copyright ©v3.co.uk

maker researcher rfid security