RFID security device manufacturer HID is using threats of patent infringement to stifle a Black Hat Federal presentation by Chris Paget on the threat of RFID card cloning. The risks of RFID card cloning are real and are nothing new. The details of the technology has been publicly available for years. What is new is the visceral demonstration that a device can provide. HID is scared that people will stop purchasing their technology once it is widely known that it is not secure. This shows the power of security researchers to get the word out where more academic presentations and low profile websites have failed.
What is new in this saga is HID is using the threat of patent infringement to prevent people from demonstrating that the technology is insecure. Chris Paget isn’t building RFID devices and selling them which would deprive HID revenue. He is alerting the public to security and safety risks of relying on this product. If there is a better example of a fair use critique I would like to hear it.
HID Global Corporation learned of our intended briefing, contacted IOActive, and demanded that IOActive refrain from presenting our findings at the BlackHat Convention, on the basis that “such presentation will subject you to further liability for infringement of HID’s intellectual property.” In HID’s view, our proposed presentation on proximity badge technology potentially infringed their patents (U.S. Pat. Nos. 5,041,826 and 5,166,676).
As a consequence, under advice of counsel, IOActive has withdrawn its presentation at the BlackHat Briefings, in order to address the demands of HID Global Corporation, and to protect IOActive’s researchers from adverse action.
Criticism of technologies is an important tool to strengthen security. Ensuring that computer researchers have the freedom to engage in scientific expression makes us stronger.
This is not the first time that computer professionals have been threatened with lawsuits. You may remember the case a few years ago when the Recording Industry Association of America threatened to sue Princeton Computer Science Professor, Ed Felten, for violation of the Digital Millennium Copyright Act if he presented an academic paper on vulnerabilities of music anti-piracy software.
But, discouraging IOActive from discussing that the information on radio frequency identification (RFID) tags can be easily read and copied, may have the most grave consequences.
Veracode Security Solutions
Security Threat Guides
Written by: Chris Wysopal