After receiving a letter threatening possible patent litigation that caused IOActive to cancel his Feb. 28 Black Hat briefing, IOActive R&D director Chris Paget did give his Hacking RFID talk after all.
Sort of.
With the ACLU on hand.
In a briefing with all references to radio-frequency identification card maker HID expunged, and with attendees lugging manuals that were lighter after having the associated materials gouged from their middles, Paget delivered the first half of his planned presentation.
He stopped when he got to the point in his slideshow that had originally listed specs of “a particular RFID tag implementation.”
“It was only technical information [including] frequency and number of bits in the code,” he told the audience. “HID did request that we refrain from singling them out as a particularly bad RFID vendor. … So were not doing that; we removed the material titled mechanism of operation.”
In fact, the information from that slide was identical to any type of RFID tag, not just to HID, Paget said.
Could IOActive have sent over its presentation materials to prove that they in fact did not contain HIDs schematic, as the company feared?
Yes, it could have. If it didnt have good legal counsel, Paget said.
Paget said that the letter from HID went something like this:
“The following are not proper subjects for your presentation this week and in future public demonstrations,” the letter read. The letter went on to refer to any materials that might teach someone “not skilled in the art” how to build a device that infringes on HIDs patents, Paget said.
“To a layman, something like this seems relatively reasonable,” Paget said. However, any patent attorney will recognize that the term “skilled in the art” has a very specific meaning. Essentially, someone “skilled in the art” refers to one who is able to rebuild the content of HIDs patent application.
Therefore, IOActive was prohibited from teaching the security community anything covered by HIDs patent. “The translation to real English: We cannot paraphrase something from HIDs patent in order to explain it to someone who doesnt already understand it,” Paget said.
HIDs letter continued, saying that the company would have “no recourse but to pursue all available remedies against [Paget] and IOActive.”
Frantic negotiations ensued, beginning Feb. 22 or 23, after IOActive had received the letter and had a chance to run it by legal counsel. When considering whether to show HID the presentation materials, IOActive requested that HID provide “a covenant not to sue.”
“What, forever and ever?” said HIDs Mike Davis, with an air of disbelief after Pagets presentation, talking to the press who huddled around him, digital recorders blinking away in spite of his demand that they be turned off. Davis is director of technology, Intellectual Property, at HID Global.
“We unfortunately cannot risk a talk in this environment,” Paget said.
What are the financial realities behind Pagets reference to taking a “risk”?
In a talk with IOActives Joshua Pennell after the briefing, he told me that just to go in and investigate whether theres any possibility that IOActive infringed on HIDs patent would have cost $30,000 in legal fees right out of the gate. If the situation ever reached litigation, going into court would cost between $150,000 and $1 million.
Just to reiterate, just to make sure we all understand exactly what this means to anybody who wants to share vulnerability information with security professionals, even if that information was published in a white paper two years ago (as IOActives material was) and is available online in multiple sources: Even if completely innocent, a small company or individual security researcher can be forced into silence by the mere threat of copyright infringement.
The presentation material in question relates to the security of RFID, a technology that the ACLU proved years ago could be subverted easily by pass-by readers. And understand one other thing: The only reason that IOActive planned to use HID technology as a (very generally outlined) example is that IOActive shares a building with the Federal Emergency Management Agency and was curious to know just how good that buildings security was.
Next Page: ACLU has cause for concern.
2
“Since IOActives offices are located in a building that uses this proximity badge technology, and also houses components of the nations critical infrastructure, IOActive launched a research and development effort to help us better understand the exposures and vulnerabilities related to this technology,” IOActive officials said in a statement.
“We got into this because were concerned about the security of RFID. Weve seen it used in many insecure environments. So has the ACLU.”
Nicole Ozer, technology and civil liberties policy director at the ACLU of Northern California, got up after Page to turn the partial-hacking-RFID briefing into something that had grown to include the ACLUs work on RFID and ID documents. The ACLU has spent the last 2.5 years, particularly in its San Francisco office, working on issues including privacy in RFID-enabled passports, student passes, and drivers licenses. RFID-enabling drivers licenses in particular is nearing a critical turning point as technology mandates in the Real ID Act could be handed down as early as March 1, a Department of Homeland Security spokesperson confirmed to eWEEKs Renee Boucher Ferguson. As Ferguson reports:
“At the same time, as many as 38 states, under a coalition formed by Missouri Representative Jim Guest, have confirmed that they will rebel against the act through legislation in their own states.
“Congressman Tom Davis, a Republican from Virginia, requested Feb. 27 that the Committee on Oversight and Government Reform hold a hearing to further discuss the Real ID Act, which mandates that all states overhaul their drivers license procedures by 2008 to include machine-readable technology and a database that holds citizen data, to be connected to other state databases and to a federal database.”
The ACLUs reason to be concerned is that, first of all, there have been multiple breaches of RFID-enabled passports and other identification documents, including British and Dutch e-passports.
“The ACLU is interested in getting out the facts,” Ozer said. “For less than $100, with parts off the Internet—and thats the up number—Chris got them for about $20—[you can assemble a device] to read RFID. [That includes] RFID in identification documents, for secure buildings like the FEMA building which IOActive is in. [The government] just spent over $2 million in readers. ACLU showed compromising of that last year.
“From an ACLU standpoint, [were concerned] in terms of privacy tracking, personal safety and financial security,” she continued. “You can get a list of who was at what place at what time. [RFID doesnt] just transmit a number. It can transmit anything encoded: name, address, Social Security number. Dutch and British passports have already been compromised. People might not want their name and address on [RFID-enabled documents]. Think of a woman walking down the street alone—would she want her name, her address, broadcast? RFID undermines the goal of trying to improve security.”
Its imperative to educate the government and public about the vulnerabilities if somebodys going to use RFID in a public document, Ozer said.
Given the good that can be done by open discussion, why would HID try to silence IOActive?
“From a big company standpoint, I dont think they understand how much it costs a small company, from the standpoint of lawyers involved,” to defend itself against a charge of patent infringement, Pennell said. “Patents cost a lot of money to go in and research.”
IOActive employees 23 people. “Were an itty-bitty company,” Pennell said.
As Paget put it, “Defense costs alone could easily put us out of business.”
What a shame, for the sake of small firms doing solid research, for the sake of freedom of expression, and for the sake of the safety of our citizens and the citizens of the global community.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
