RFID security device manufacturer HID is using threats of patent infringement to stifle a Black Hat Federal presentation by Chris Paget on the threat of RFID card cloning. The risks of RFID card cloning are real and are nothing new. The details of the technology has been publicly available for years. What is new is the visceral demonstration that a device can provide. HID is scared that people will stop purchasing their technology once it is widely known that it is not secure. This shows the power of security researchers to get the word out where more academic presentations and low profile websites have failed. What is new in this saga is HID is using the threat of patent infringement to prevent people from demonstrating that the technology is insecure. Chris Paget isn't building RFID devices and selling them which would deprive HID revenue. He is alerting the public to security and safety risks of relying on this product. If there is a better example of a fair use critique I would like to hear it. Update: IOActive, where Chris Paget works, has withdrawn their presentation:

HID Global Corporation learned of our intended briefing, contacted IOActive, and demanded that IOActive refrain from presenting our findings at the BlackHat Convention, on the basis that "such presentation will subject you to further liability for infringement of HID's intellectual property." In HID's view, our proposed presentation on proximity badge technology potentially infringed their patents (U.S. Pat. Nos. 5,041,826 and 5,166,676).

As a consequence, under advice of counsel, IOActive has withdrawn its presentation at the BlackHat Briefings, in order to address the demands of HID Global Corporation, and to protect IOActive's researchers from adverse action.

Update 2: The ACLU of Northern California is going to be speaking in Chris' place

Criticism of technologies is an important tool to strengthen security. Ensuring that computer researchers have the freedom to engage in scientific expression makes us stronger. This is not the first time that computer professionals have been threatened with lawsuits. You may remember the case a few years ago when the Recording Industry Association of America threatened to sue Princeton Computer Science Professor, Ed Felten, for violation of the Digital Millennium Copyright Act if he presented an academic paper on vulnerabilities of music anti-piracy software. But, discouraging IOActive from discussing that the information on radio frequency identification (RFID) tags can be easily read and copied, may have the most grave consequences.

Veracode Security Solutions


Security Alternatives


Security Threat Guides

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.