BlackHat Presenters Threatened with Patent Suit for Exposing RFID Vulnerabilities

Feb 27, 2007
By:
Nicole A. Ozer
ACLU of Northern CA

HID Global Corporation has threatened to sue IO Active, a computer security company based in Seattle, with patent infringement if it gives its planned presentation at the BlackHat Convention this Wednesday, February 28, 2007, in Washington D.C. The presentation discusses vulnerabilities of HID RFID cards and demonstrates a handheld RFID cloner developed by the company to highlight these vulnerabilities.

For a link to a previous demo at RSA, please click here.

HID learned of its intended briefing, contacted IOActive, and demanded that IOActive refrain from presenting their findings at the BlackHat Convention on the basis that "such presentation will subject you to further liability for infringement of HID's intellectual property." In HID's view, IO Active's proposed presentation on proximity badge technology potentially infringed their patents (U.S. Pat. Nos. 5,041,826 and 5,166,676).

IO Active has pulled its presentation and accompanying materials.

Instead, I will speak at the presentation on Wednesday at 1:45 p.m. in Washington, D.C.

There will be a press conference following the presentation. See BlackHat conference schedule here.

See IO Active press release here.

The current circumstances are very unfortunate.

Criticism of technologies is an important tool to strengthen security. Ensuring that computer researchers have the freedom to engage in scientific expression makes us stronger.

This is not the first time that computer professionals have been threatened with lawsuits. You may remember the case a few years ago when the Recording Industry Association of America threatened to sue Princeton Computer Science Professor, Ed Felten, for violation of the Digital Millennium Copyright Act if he presented an academic paper on vulnerabilities of music anti-piracy software.

But, discouraging IO Active from discussing that the information on radio frequency identification (RFID) tags can be easily read and copied, may have the most grave consequences.

With the Department of Homeland Security expected to release the Real ID regulations very soon and dictate what type of machine readable technology will be in every drivers' license and whether it will contain RFID chips, and the Department of State starting to roll out RFID-embedded passports, it is particularly important that the government and the public have all the information about RFID technology and understand that the use of RFID technology without proper protections can seriously threaten privacy, personal security, and public safety. For more information on Real ID, please visit www.realnightmare.org

The work of computer security professionals to reveal RFID vulnerabilities is integral to ensuring that the privacy, personal security, and public safety of millions of Americans are properly safeguarded.

The use of insecure RFID tags in identification documents, like drivers' licenses and other IDs, means that if you are walking down the street, participating in a political rally, visiting a doctor's office or a gun show, or entering a high security building, anyone with an RFID scanner could read the personal information stored on an insecure RFID chip, without you ever knowing it and potentially misuse the information- to improperly track your movements, to obtain information to harm you physically or engage in identity theft, or gain access to unauthorized information or areas.

The serious threats to privacy, personal and public safety, and financial security is why ACLU of Northern California has been working to stop the use of insecure RFID tags in identification documents like passports and drivers' licenses, including landmark legislation in California, the Identity Information Protection Act (SB 30), that would ensure that protections were in place on the use of RFID technology in all state-issued identification documents. For more information, see our feature, Don't Chip Our Rights Away!

The work that IO Active was going to present at this conference is just one more piece of evidence that there are privacy and security risks associated with the use of RFID technology in identification documents.

The vulnerabilities of RFID have been shown time and time again in the past years.

  • Cracked RFID credit cards (2006)
  • Cracked the California Sacramento Capitol Entry Cards and Gained Access to Secure Building Entrance (2006)
  • Cracked the VeriChip- the RFID chip approved for implantation in humans (2006)
  • Cracked the RFID chips used in the Dutch and British e-passport (2006)Cracked the Exxon Mobil gasoline passes and automobile anti-theft devices ( 2005)
  • Cracked the encryption key to the chips used in French bank cards (2000)
  • Cracked the security on chips used in German phone cards with losses of 34 million dollars (1998)

The GAO has warned about the impact of RFID on privacy and security and so has the DHS's own Privacy and Integrity Committee. Even industry groups like the AeA and Smart Card Alliance have written in letters to the federal government that basic RFID technology has security flaws:

  • Basic RFID technology does not have necessary technological protections to "eliminate the risk of terrorists, criminals, or illegal aliens who have a passing resemblance to legitimate cardholders spoofing or counterfeiting PASS cards to enter the United States undetected." (Smart Card Alliance)
  • "highly susceptible to forgery."(AeA)
  • A potential illicit hacker could very easily read (again, from a distance) the unique ID contained…and easily create a duplicate. The scenario can be imagined where a potential terrorist surreptitiously skims the EPC number information…and then easily creates a duplicate card which could then be used in one of the proposed 'fast lanes." All the potential terrorist need do is be sure that the holder of the fake card resembles the holder of the true WHTI card in order to pass a cursory visual inspection."(AeA)
  • "would potentially undermine critical homeland security border control programs and effectiveness." (AeA)

See a draft of my upcoming law review paper Rights Chipped Away: RFID in Identification Documents, for detailed information about cracks and impact of RFID on privacy and security.

Just like you put a lock on your door to keep your things from being stolen, RFID tags must have adequate protections to ensure that personal information is kept safe.

The work of computer security professionals to bring vulnerabilities of RFID technology to the attention of the government and the public is imperative to protect all of our privacy, financial security, and personal and public safety.