eWeek Security Watch
Advertisement
Advertisement
February 28, 2007 12:39 AM

RFID Hacking Demo Derailed by Legal Threat



A presentation on how RFID is "insecure and untrustworthy" has been yanked from Wednesday's schedule of briefings at Black Hat after secure card maker HID reportedly raised objections over possible patent infringement in a letter sent before the planned presentation.

IOActive Director of R&D Chris Paget had planned to demonstrate a working cloner—a device that can elicit, record and mimic signals from smartcard RFID chips.

This is the synopsis of Paget's planned presentation from Black Hat's original schedule:

RFID for Beginners

RFID tags are becoming more and more prevalent. From access badges to implantable Verichips, RFID tags are finding more and more uses. Few people in the security world actually understand RFID though; the "radio" stuff gets in the way. This presentation aims to bridge that gap, by delivering sufficient information to design and build a working RFID cloner based around a single chip -- the PIC16F628A.

Assuming no initial knowledge of electronics, I'll explain everything you need to know in order to build a working cloner, understand how it works, and see exactly why RFID is so insecure and untrustworthy. Covering everything from Magnetic Fields to Manchester Encoding, this presentation is suitable for anyone who is considering implementing an RFID system, considering hacking an RFID system, or who just wants to know a little more about the inductively coupled, ASK modulated, back scattering system known as RFID.


A spokeswoman for Black Hat, which is owned by CMP, confirmed that the presentation is off the schedule for now, but that anything could happen by the presentation's originally scheduled time of Feb. 28 1:45 p.m. ET. For now, though, a panel that will include ACLU members will take its place. The ACLU, although it supports enforcement of patent laws, has decried what it calls the "trampling" on free speech rights that HID's letter has caused.

As it is, the time to examine the much-doubted security of smartcards is now, the ACLU has pointed out, given that the Department of Homeland Security is expected to release Real ID regulations that will dictate what type of machine-readable technology will be in drivers' licenses, including RFID chips.

As it stands, the technology has been criticized for posing substantial privacy and security threats, given that RFID scanners can pick up personal data stored on RFID chips, including a person's name and physical address.

This isn't the first time Black Hat has run into hot water. In July 2005, Cisco
threatened to shut down the conference if information about an IOS vulnerability wasn't suppressed. At the time, the networking vendor forced conference organizers to physically remove notes on the strategy for remotely exploiting IOS systems from conference proceedings.
The researcher, Michael Lynn, ultimately presented information on the hole, but only after resigning from his position at the vulnerability research company ISS (Internet Security Systems).

Then in January 2006 it was Oracle's turn at Black Hat swiping. Within hours of security research David Litchfield having gone public with details of an unpatched vulnerability in the Oracle PL/SQL Gateway, Oracle accused him of endangering its customers for selfish and irresponsible reasons.

Posted by Lisa Vaas on February 28, 2007 12:39 AM

| Comments (5) | del.icio.us | digg.com | Trackback | Post a Comment
View all of
TrackBack

TrackBack

http://securitywatch.eweek.com/cgi-bin/mte/mt-tb.cgi/10426

Comments (5)

neeraj nigam :

HID, Cisco, Oracle can stop Black Hat, so that only the bad guys know how to harm the rest of us. Shame on these companies for denying us the knowledge to protect ourselves from the vulnaribilities they leave in their products. Laws should be changed so that we can sue them for problems caused by their incompetence. Then and only then will they get serious about our security.

Can this paper be made available online or as a download so that we can learn something from it?

Posted by neeraj nigam | February 28, 2007 12:09 PM

James K :

Typical FUD responce to problems with a technology: kill (or sue) the messenger. I doubt that these people allow open diologue even in-house.

Security-through-obscurity never works, as they will eventually learn. Hopefully it won't take disasters and death to teach it to them.

Posted by James K | March 1, 2007 12:33 AM

lisa vaas :

No, unfortunately, to avoid the risk of IOActive getting sued for patent infringement, which HID's letter implied would happen, the materials were yanked from the presentation and from the Black Hat papers/slides manual. Watch for a slideshow that should be up today, "Black Hat Silenced by Legal Threat." In there will be s photo of the ACLU's Nicole Ozer, holding up the manual to show the noticeable gap where this information should have appeared. You can find this stuff out online if you want to build yourself a clone, but that's not advisable, since it's illegal. RFID's risks have already been documented; see the North California's ACLU's site.

Posted by lisa vaas | March 1, 2007 5:14 AM

Ed Allan :

It seems the bad guys have all the fun. Rather than put the black hole in front of everyone where it will have to be addressed the impression is lets keep it secret so that it does not have to be addressed until such a time as it will cost real money not to do so. Every organization screams when their products become the subject of negative demonstrations. They fail to use such demonstrations as platforms for product improvement, they instead take it as a personal attack use knee jerk responses that leave end users open to attack for longer periods of time. Those involved in purchasing information technology services and goods have the power to change this sort of activity....spend your IT dollars with organizations that truly support their products and services. By doing this effectively those that are open to information on technology flaws and weaknesses will grow and develop a better product and a satisfied customer base. Until that time those of us that would benefit by such a demonstration are the ones that will suffer. The bad guys already have the information, HID has knowledge of the information, now the great wall of silence has dropped and only those of us truly at risk have anything to loose. Seems that governance should look at Information Technology much the same ways it does automobiles....establish a lemon law. You release a poorly designed product and you will be saddled with the cost related to those making right any damages caused by the same. Not a perfect system but would certainly be better than what is currently available to those who have the skills to find such weaknesses and point them out. Always remember and never forget, CASH IS KING. The surest way to achieve any improvement in the current system is to impact cash flow either positively or negatively. Make the things you can control count.

Posted by Ed Allan | March 2, 2007 10:18 AM

Stevej :

How can it be patent infringement for education. Especially showing security protection. How to make with no other reason, maybe gray. Patent infringement is for manufacturing for profit.

I say collect your resources to back you up on suits and go for it.

They are only intimidating you.

Posted by Stevej | March 4, 2007 9:18 AM

Post a Comment

 
 


RSS Syndication

Breaking News

Advertisement

Apple

Browsers

Cisco

Corporate espionage

Disaster Planning

eBay

Exploits and Attacks

Flaws

Google

Identity Theft

Intrusion Detection/Prevention

Mergers and Acquisitions

Microsoft Windows

Open Source

Oracle

Patches

Phishing and Fraud

Privacy

Product Reviews

Rootkits

Spam

Virus and Spyware

Vulnerability Research

Advertisement
Security Watch     Contact Us | Advertise | Site Map
eWEEK Quick LInks

Security:
Enterprise Security
Network Security
Infrastructure Security
How To: Data
IT Security News
Cheap Hack Blog
Security Watch Blog
Storage:
Data Storage
Cloud Storage
Storage Virtualization
Network Access Storage
Storage Reviews
Data Storage News
How To: Storage
Storage Station Blog
Computing:
Apple OSX
Linux Systems
Windows Vista
Managed Print Services
Cloud Computing
PC Reviews
Microsoft Watch Blog
Apple Watch Blog
Google Watch Blog
Communications:
VoIP Solutions
Wireless Technology
Messaging Software
Web Services
Mobile Applications
Wireless News
Mobile Reviews
Apps & Development:
Application Development
SAAS
Search Engines
Database Software
Web 2.0
IT Project Management
Emerging Tech Blog
CIO Insight Blogs
CIOs

Vertical Markets:
Federal Government IT
Health Care IT
Finance IT
Mid-Market
Channel Partners
Careers Blog
Value Added Resellers
More eWeek Links:
Tech Knowledge Center
Tech Newsletters
Tech RSS Feeds
White Papers
Tech Podcasts
Tech Videos
eWeek Magazine Subscriptions
Enterprise Websites:
ZDE Home
Baseline
Channel Insider
CIO Insight
eSeminars
eWeek Mid-Market
Publish Online
Web Buyers Guide
Developer Websites:
Dev Shed
DeveloperShed
ASP Free
MS DevSource
SEO Chat
Codewalkers
Tutorialized
Scripts.com
Dev Mechanic
Dev Articles
Web Hosters
Dev Hardware
Technology Websites:
Device Forge
Desktop Linux
Linux Devices
Windows for Devices
iGrep Search Engine
PDF Zone
Linux Watch

Use of this site is governed by our Terms of Use and Privacy Policy
Copyright ©1996-2008 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt, and eWeek Security Watch are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
eWeek is your best source for the latest Technology News.
Hosted by Hostway.

Ziff Davis Enterprise