In Case You Missed This Stink At Black Hat [11:57 am]
After receiving a letter threatening possible patent litigation that caused IOActive to cancel his Feb. 28 Black Hat briefing, IOActive R&D director Chris Paget did give his Hacking RFID talk after all.
With the ACLU on hand.
[...] In a talk with IOActive’s Joshua Pennell after the briefing, he told me that just to go in and investigate whether there’s any possibility that IOActive infringed on HID’s patent would have cost $30,000 in legal fees right out of the gate. If the situation ever reached litigation, going into court would cost between $150,000 and $1 million.
Just to reiterate, just to make sure we all understand exactly what this means to anybody who wants to share vulnerability information with security professionals, even if that information was published in a white paper two years ago (as IOActive’s material was) and is available online in multiple sources: Even if completely innocent, a small company or individual security researcher can be forced into silence by the mere threat of copyright [sic] infringement.
The presentation material in question relates to the security of RFID, a technology that the ACLU proved years ago could be subverted easily by pass-by readers. And understand one other thing: The only reason that IOActive planned to use HID technology as a (very generally outlined) example is that IOActive shares a building with the Federal Emergency Management Agency and was curious to know just how good that building’s security was.
[...] The ACLU’s reason to be concerned is that, first of all, there have been multiple breaches of RFID-enabled passports and other identification documents, including British and Dutch e-passports.
“The ACLU is interested in getting out the facts,” [tha ACLU's Nicole] Ozer said. “For less than $100, with parts off the Internetâ€”and that’s the up numberâ€”Chris got them for about $20â€”[you can assemble a device] to read RFID. [That includes] RFID in identification documents, for secure buildings like the FEMA building which IOActive is in. [The government] just spent over $2 million in readers. ACLU showed compromising of that last year.
“From an ACLU standpoint, [we're concerned] in terms of privacy tracking, personal safety and financial security,” she continued. “You can get a list of who was at what place at what time. [RFID doesn't] just transmit a number. It can transmit anything encoded: name, address, Social Security number. Dutch and British passports have already been compromised. People might not want their name and address on [RFID-enabled documents]. Think of a woman walking down the street aloneâ€”would she want her name, her address, broadcast? RFID undermines the goal of trying to improve security.”
It’s imperative to educate the government and public about the vulnerabilities if somebody’s going to use RFID in a public document, Ozer said.