RFID security device manufacturer HID is using threats of patent infringement to stifle a Black Hat Federal presentation by Chris Paget on the threat of RFID card cloning. The risks of RFID card cloning are real and are nothing new. The details of the technology has been publicly available for years. What is new is the visceral demonstration that a device can provide. HID is scared that people will stop purchasing their technology once it is widely known that it is not secure. This shows the power of security researchers to get the word out where more academic presentations and low profile websites have failed.

What is new in this saga is HID is using the threat of patent infringement to prevent people from demonstrating that the technology is insecure. Chris Paget isn't building RFID devices and selling them which would deprive HID revenue. He is alerting the public to security and safety risks of relying on this product. If there is a better example of a fair use critique I would like to hear it.

Update: IOActive, where Chris Paget works, has withdrawn their presentation:

HID Global Corporation learned of our intended briefing, contacted IOActive, and demanded that IOActive refrain from presenting our findings at the BlackHat Convention, on the basis that "such presentation will subject you to further liability for infringement of HID's intellectual property." In HID's view, our proposed presentation on proximity badge technology potentially infringed their patents (U.S. Pat. Nos. 5,041,826 and 5,166,676).

As a consequence, under advice of counsel, IOActive has withdrawn its presentation at the BlackHat Briefings, in order to address the demands of HID Global Corporation, and to protect IOActive's researchers from adverse action.

Update 2: The ACLU of Northern California is going to be speaking in Chris' place

Criticism of technologies is an important tool to strengthen security. Ensuring that computer researchers have the freedom to engage in scientific expression makes us stronger.

This is not the first time that computer professionals have been threatened with lawsuits. You may remember the case a few years ago when the Recording Industry Association of America threatened to sue Princeton Computer Science Professor, Ed Felten, for violation of the Digital Millennium Copyright Act if he presented an academic paper on vulnerabilities of music anti-piracy software.

But, discouraging IOActive from discussing that the information on radio frequency identification (RFID) tags can be easily read and copied, may have the most grave consequences.

Veracode Security Solutions


Security Alternatives


Security Threat Guides

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (2)

Tom Cross | February 28, 2007 3:08 pm

There is a common law Experiemental Use Exemption to Patents that allows patents to be reproduced "for amusement, to satisfy idle curiosity, or for strictly philosophical inquiry." However, the federal court system has whittled this defense down to almost nothing. If you benefit from performing the experiment in some way it might not apply:


txs | March 7, 2007 3:10 pm

The real question is how do you present anything under these circumstances. Just about any security related research can be squashed either via patent law or DMCA as the little guy really doesn't have the resources to fight a battle like this. While he may eventually win, it takes a lot of time and money that most researchers and boutiques like IOActive either don't have or don't want to put up. The end result of this type of litigation is that security research will be released underground and/or sold on the black market which doesn't benefit anyone in the long run.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.