"Since IOActives offices are located in a building that uses this proximity badge technology, and also houses components of the nations critical infrastructure, IOActive launched a research and development effort to help us better understand the exposures and vulnerabilities related to this technology," IOActive officials said in a statement. "We got into this because were concerned about the security of RFID. Weve seen it used in many insecure environments. So has the ACLU.""At the same time, as many as 38 states, under a coalition formed by Missouri Representative Jim Guest, have confirmed that they will rebel against the act through legislation in their own states. Analysts say the Real ID Act could help identity thieves. Click here to read more. "Congressman Tom Davis, a Republican from Virginia, requested Feb. 27 that the Committee on Oversight and Government Reform hold a hearing to further discuss the Real ID Act, which mandates that all states overhaul their drivers license procedures by 2008 to include machine-readable technology and a database that holds citizen data, to be connected to other state databases and to a federal database." The ACLUs reason to be concerned is that, first of all, there have been multiple breaches of RFID-enabled passports and other identification documents, including British and Dutch e-passports. "The ACLU is interested in getting out the facts," Ozer said. "For less than $100, with parts off the Internetand thats the up numberChris got them for about $20[you can assemble a device] to read RFID. [That includes] RFID in identification documents, for secure buildings like the FEMA building which IOActive is in. [The government] just spent over $2 million in readers. ACLU showed compromising of that last year. "From an ACLU standpoint, [were concerned] in terms of privacy tracking, personal safety and financial security," she continued. "You can get a list of who was at what place at what time. [RFID doesnt] just transmit a number. It can transmit anything encoded: name, address, Social Security number. Dutch and British passports have already been compromised. People might not want their name and address on [RFID-enabled documents]. Think of a woman walking down the street alonewould she want her name, her address, broadcast? RFID undermines the goal of trying to improve security." Its imperative to educate the government and public about the vulnerabilities if somebodys going to use RFID in a public document, Ozer said. Given the good that can be done by open discussion, why would HID try to silence IOActive? "From a big company standpoint, I dont think they understand how much it costs a small company, from the standpoint of lawyers involved," to defend itself against a charge of patent infringement, Pennell said. "Patents cost a lot of money to go in and research." IOActive employees 23 people. "Were an itty-bitty company," Pennell said. As Paget put it, "Defense costs alone could easily put us out of business." What a shame, for the sake of small firms doing solid research, for the sake of freedom of expression, and for the sake of the safety of our citizens and the citizens of the global community.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Nicole Ozer, technology and civil liberties policy director at the ACLU of Northern California, got up after Page to turn the partial-hacking-RFID briefing into something that had grown to include the ACLUs work on RFID and ID documents. The ACLU has spent the last 2.5 years, particularly in its San Francisco office, working on issues including privacy in RFID-enabled passports, student passes, and drivers licenses. RFID-enabling drivers licenses in particular is nearing a critical turning point as technology mandates in the Real ID Act could be handed down as early as March 1, a Department of Homeland Security spokesperson confirmed to eWEEKs Renee Boucher Ferguson. As Ferguson reports: