UPDATE: Black Hat: Much ado about RFID

ARLINGTON, VA – IOActive, a small security consulting company, brought out some big guns to help defend itself against an RFID giant at the Black Hat conference here Wednesday.

Leveraging the American Civil Liberties Union (ACLU) and the U.S. Department of Homeland Security (DHS), IOActive hosted a panel discussion that turned into a pep rally to support the small company’s fight to disclose RFID security flaws that were detailed in a presentation RFID card vendor HID quashed.

IOActive’s director of research and development Chris Paget had originally planned to give a presentation entitled “RFID for Beginners,” containing source code and schematics for building a device that can read RFID cards. The point of the demonstration was to show the security weaknesses of RFID technology, including building access cards made by HID, according to show materials.

Following what IOActive described as threats of legal action from HID regarding patent infringement leading up to the conference, Paget instead gave an edited version of its presentation, eliminating portions regarding security flaws in the RFID. The presentation, which ended up being a basic explanation of how RFID works, was followed by a panel discussion with speeches from the ACLU regarding the security and privacy issues surrounding RFID and from DHS’ US Computer Emergency Readiness Team (US CERT) about the importance of disclosing security flaws in technology.

IOActive says its intent in preparing the original presentation was simply to illustrate the security weaknesses found in RFID tags that are widely used today for building access, on highways to pay tolls, and even to find lost pets. One of the types of cards that Paget’s cloner can read are made by HID.

“The whole goal of this presentation was to get the information out there about how easy it is to clone these cards,” said Paget.

HID caught wind of IOActive’s plans and asked the small company to specify exactly what it would present. When IOActive refused – believing that RFID security flaws had been well-known for a few years and therefore it didn’t need HID’s permission to give the presentation, according to company executives – HID would not sign a document promising no legal action. Fearing the expense and time of a legal entanglement, IOActive backed off.

While HID did not send any legal letters to Black Hat threatening action of the presentation was made, the show organizer appeared to be on the side of IOActive.

“Black Hat is really all about responsible disclosure,” which means presenters must let a vendor know ahead of time if their talk targets the vendor’s products, said Jeff Moss, founder and director of Black Hat, now owned by CMP. HID, represented by a sole executive at the conference, claims IOActive failed to make such disclosure.

“IOActive made no notification because [RFID security flaws] are a two- to five-year-old problem; there was no disclosure here because it was a known vulnerability,” said Moss.

Apparently IOActive called on the ACLU to lend its voice regarding RFID security flaws during the presentation. Nicole Ozer, technology and civil liberty policy director with the ACLU of Northern California in San Francisco, talked during Paget’s presentation about the group’s work to limit the use of unsecured RFID technology specifically in areas that would compromise public privacy and security, such as in drivers’ IDs and passports.

Then Michael Witt [stet], deputy director of US CERT, discussed his organization’s role in promoting vendors’ responsible disclosure of security flaws in their technology. Stressing that he was playing a neutral role in the disagreement between HID and IOActive, Wit said he had learned about it just 24-hours before and had already contacted both parties to begin working the issue out.

Still, with multiple IOActive officials and supporters on stage and only one HID representative present – who had to use the Q&A session following IOActive’s presentation to get a word in – the panel discussion switched focus from RFID threats to whether IOActive should have been able to make its original presentation.

Some audience members attempted to bring the session back on track.

“What’s the solution? Where does this leave us?” asked one attendee during the panel’s Q&A session.

“Unsafe,” responded IOActive’s Paget. “We have no options here” for alerting attendees to RFID security flaws.

Another attendee suggested that there are, in fact, options to securing RFID cards, such as wrapping them in tin foil and duct tape to keep them from being read by unauthorized devices, and educating employees not to wear them clipped to their pockets when they go out to lunch.