Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Mobile

    ACLU, Outrage Fill in the Silence at Black Hat RFID Session

    By
    Lisa Vaas
    -
    March 1, 2007
    Share
    Facebook
    Twitter
    Linkedin

      After receiving a letter threatening possible patent litigation that caused IOActive to cancel his Feb. 28 Black Hat briefing, IOActive R&D director Chris Paget did give his Hacking RFID talk after all.

      Sort of.

      With the ACLU on hand.

      In a briefing with all references to radio-frequency identification card maker HID expunged, and with attendees lugging manuals that were lighter after having the associated materials gouged from their middles, Paget delivered the first half of his planned presentation.

      He stopped when he got to the point in his slideshow that had originally listed specs of “a particular RFID tag implementation.”

      “It was only technical information [including] frequency and number of bits in the code,” he told the audience. “HID did request that we refrain from singling them out as a particularly bad RFID vendor. … So were not doing that; we removed the material titled mechanism of operation.”

      In fact, the information from that slide was identical to any type of RFID tag, not just to HID, Paget said.

      Could IOActive have sent over its presentation materials to prove that they in fact did not contain HIDs schematic, as the company feared?

      Yes, it could have. If it didnt have good legal counsel, Paget said.

      Paget said that the letter from HID went something like this:

      “The following are not proper subjects for your presentation this week and in future public demonstrations,” the letter read. The letter went on to refer to any materials that might teach someone “not skilled in the art” how to build a device that infringes on HIDs patents, Paget said.

      “To a layman, something like this seems relatively reasonable,” Paget said. However, any patent attorney will recognize that the term “skilled in the art” has a very specific meaning. Essentially, someone “skilled in the art” refers to one who is able to rebuild the content of HIDs patent application.

      Therefore, IOActive was prohibited from teaching the security community anything covered by HIDs patent. “The translation to real English: We cannot paraphrase something from HIDs patent in order to explain it to someone who doesnt already understand it,” Paget said.

      HIDs letter continued, saying that the company would have “no recourse but to pursue all available remedies against [Paget] and IOActive.”

      Frantic negotiations ensued, beginning Feb. 22 or 23, after IOActive had received the letter and had a chance to run it by legal counsel. When considering whether to show HID the presentation materials, IOActive requested that HID provide “a covenant not to sue.”

      “What, forever and ever?” said HIDs Mike Davis, with an air of disbelief after Pagets presentation, talking to the press who huddled around him, digital recorders blinking away in spite of his demand that they be turned off. Davis is director of technology, Intellectual Property, at HID Global.

      “We unfortunately cannot risk a talk in this environment,” Paget said.

      What are the financial realities behind Pagets reference to taking a “risk”?

      In a talk with IOActives Joshua Pennell after the briefing, he told me that just to go in and investigate whether theres any possibility that IOActive infringed on HIDs patent would have cost $30,000 in legal fees right out of the gate. If the situation ever reached litigation, going into court would cost between $150,000 and $1 million.

      Just to reiterate, just to make sure we all understand exactly what this means to anybody who wants to share vulnerability information with security professionals, even if that information was published in a white paper two years ago (as IOActives material was) and is available online in multiple sources: Even if completely innocent, a small company or individual security researcher can be forced into silence by the mere threat of copyright infringement.

      The presentation material in question relates to the security of RFID, a technology that the ACLU proved years ago could be subverted easily by pass-by readers. And understand one other thing: The only reason that IOActive planned to use HID technology as a (very generally outlined) example is that IOActive shares a building with the Federal Emergency Management Agency and was curious to know just how good that buildings security was.

      Next Page: ACLU has cause for concern.

      2

      “Since IOActives offices are located in a building that uses this proximity badge technology, and also houses components of the nations critical infrastructure, IOActive launched a research and development effort to help us better understand the exposures and vulnerabilities related to this technology,” IOActive officials said in a statement.

      “We got into this because were concerned about the security of RFID. Weve seen it used in many insecure environments. So has the ACLU.”

      Nicole Ozer, technology and civil liberties policy director at the ACLU of Northern California, got up after Page to turn the partial-hacking-RFID briefing into something that had grown to include the ACLUs work on RFID and ID documents. The ACLU has spent the last 2.5 years, particularly in its San Francisco office, working on issues including privacy in RFID-enabled passports, student passes, and drivers licenses. RFID-enabling drivers licenses in particular is nearing a critical turning point as technology mandates in the Real ID Act could be handed down as early as March 1, a Department of Homeland Security spokesperson confirmed to eWEEKs Renee Boucher Ferguson. As Ferguson reports:

      “At the same time, as many as 38 states, under a coalition formed by Missouri Representative Jim Guest, have confirmed that they will rebel against the act through legislation in their own states.

      /zimages/3/28571.gifAnalysts say the Real ID Act could help identity thieves. Click here to read more.

      “Congressman Tom Davis, a Republican from Virginia, requested Feb. 27 that the Committee on Oversight and Government Reform hold a hearing to further discuss the Real ID Act, which mandates that all states overhaul their drivers license procedures by 2008 to include machine-readable technology and a database that holds citizen data, to be connected to other state databases and to a federal database.”

      The ACLUs reason to be concerned is that, first of all, there have been multiple breaches of RFID-enabled passports and other identification documents, including British and Dutch e-passports.

      “The ACLU is interested in getting out the facts,” Ozer said. “For less than $100, with parts off the Internet—and thats the up number—Chris got them for about $20—[you can assemble a device] to read RFID. [That includes] RFID in identification documents, for secure buildings like the FEMA building which IOActive is in. [The government] just spent over $2 million in readers. ACLU showed compromising of that last year.

      “From an ACLU standpoint, [were concerned] in terms of privacy tracking, personal safety and financial security,” she continued. “You can get a list of who was at what place at what time. [RFID doesnt] just transmit a number. It can transmit anything encoded: name, address, Social Security number. Dutch and British passports have already been compromised. People might not want their name and address on [RFID-enabled documents]. Think of a woman walking down the street alone—would she want her name, her address, broadcast? RFID undermines the goal of trying to improve security.”

      Its imperative to educate the government and public about the vulnerabilities if somebodys going to use RFID in a public document, Ozer said.

      Given the good that can be done by open discussion, why would HID try to silence IOActive?

      “From a big company standpoint, I dont think they understand how much it costs a small company, from the standpoint of lawyers involved,” to defend itself against a charge of patent infringement, Pennell said. “Patents cost a lot of money to go in and research.”

      IOActive employees 23 people. “Were an itty-bitty company,” Pennell said.

      As Paget put it, “Defense costs alone could easily put us out of business.”

      What a shame, for the sake of small firms doing solid research, for the sake of freedom of expression, and for the sake of the safety of our citizens and the citizens of the global community.

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×