RFID Cloning: What A Mess

Have you been following the IOActive/HID Global/BlackHat debacle? What a mess.

At the outset and in the spirit of disclosure, let me point out that Blackhat is a conference run by CMP Media, the parent company of Dr. Dobb's. Not that that has anything to do with the mess at hand.

To recap: IOActive, "a professional services consulting firm specializing in information risk management and application security analysis," planned on presenting a paper entitled "RFID For Beginners" at the recent BlackHat Conference in Washington DC. The presentation was intended to describe the technical foundations of RFID technology (something which Dr. Dobb's has done more than once; see Java and RFID Tags and RFID Blocker Tags, for starters) and show security problems with contactless RFID. Well, as it turns out HID Global, a very big corporation in the access control (aka, "security") arena, sells contactless RFID products. And since IOActive was going to use publicly available information to show how to build a device capable of cloning HID cards, HID Global objected. That the device was akin to other RFID cloners and built using $20 worth in parts bought on eBay didn't quite matter.

The long and short of it is that IOActive is a little company with relatively few resources, and HID Global is a big company with lots of resources. You get the picture. HID Global issued some veiled threats regarding liability and IOActive opted to pull the presentation. However, IOActive later went ahead with the presentation, but didn't include reference to or details regarding anything HID.

What's odd is that RFID vulnerabilities are well known and even HID Global has acknowledged them. But the approach of "hiring more lawyers instead building better products" often wins out these days. HID Global has responded to the topic of "Proximity Card Cloning" in a letter signed by the company president, but clearly written by the lawyers. In other words, it doesn't say much.

IOActive was more specific:

IOActive would like to clarify that the electronic design of our device, the associated schematic diagrams, and the source-code for the micro-controller component were developed by IOActive completely independent of any HID documents, and were principally based on information available on the Internet regarding RFID technology. In fact, we did not view any documentation prepared or produced by HID Global Corporation about their technology until after we received their demand letter.

What's too bad is that valid research that would benefit the public -- including HID Global's customers -- may not be made available.

Posted by Jon Erickson at 09:48 AM  Permalink