Do you trust standard RFID cards to perform a security function? Probably; most companies use electronic access cards based on RFID, such as those made by HID, to open doors. Unfortunately, they’re not much more secure than a secret handshake - someone could easily watch you do it, and then repeat it himself as needed. Granted, this isn’t news, since we all know that RFID is capable of being cloned. It’s even been done with the new US passport.
Why, then, is this fiasco at Black Hat in DC taking place? Chris Paget, of IOActive, created a simple proof of concept RFID cloner in his spare time over the course of a month. He then put together a 75 minute briefing on how it works, and how to build your own. There was no reverse engineering or hacking necessary, since RFID technology has been patented and therefore public knowledge.
Unfortunately for Mr. Paget, he demonstrated his device at the recent RSA Security Conference, using a typical HID access card and reader. HID happens to be one of the best selling implementations of RFID cards, and is a big company with too many lawyers. So when they came across the video of his demo, they decided it infringed on their intellectual property and therefore was not appropriate for presentation at Black Hat. Of course, the fact that Paget was going to show that unencrypted RFID should not be used in presumably secure access cards (the products that HID sell) had nothing to do with it.
Reminicent of the Cisco escapade at Black Hat in 2005, HID contacted IOActive and the conference organizers, demanding that they cancel the talk and remove the slides from everyone’s printed materials. Once again, there was a lot of ripping paper out of conference proceedings to do.
I can’t blame them for giving in to the legal pressure, since defending themselves in a legal battle would be much too costly. The real losers in this situation are you and me. First of all, they are restricting what appears to be free speech, in the name of protecting corporate interests. Second, as RFID technology becomes ever more pervasive, I believe it should come under increased scrutiny. Not only are RFID chips appearing in all kinds of products, but they are also embedded in our passports and the new “Real ID” identification cards. Full disclosure is the right answer here, not security through obscurity.
Luckily the truth will get out, someone else will release the schematics for this or another simple cloner, and HID and its competitors will be forced to reexamine their implementations. At the very least, having this fiasco in the headlines will alert more corporate security folks to the vulnerability of their favorite access solution.
Post a Comment