Slashdot Mirror
New Controversy over Black Hat Presentation
uniquebydegrees writes "InfoWorld is reporting about a new controversy swirling around a planned presentation at Black Hat Federal in Washington D.C. this week. Security researcher Chris Paget of IOActive will demo an RFID hacking tool that can crack HID brand door access cards. HID Corp., which makes the cards, is miffed and is accusing IOActive of patent infringement over the presentation, recalling the legal wrangling over Michael Lynn's presentation of a Cisco IOS hole at Black Hat in 2005. Black Hat's Jeff Moss says they're standing by their speaker. A news conference is scheduled for tomorrow AM." Update: 02/27 20:10 GMT by Z :InfoWorldMike wrote with a link to story saying that the presentation has been pulled from the slate for Black Hat, as a result of this pressure.
Hat Fight!
If you can read this, I forgot to post anonymously.
Controversy at a conference?
This may generate as much interest as Darwin's debate.
Have you read my journal today?
Aren't HID cards passive? Last I checked, they just reported a serial number.
So what is this "hack"? Recording and replaying the serial is nothing new.
"Your door is secure because bad guys would have to infringe on our patents to open it!"
They have a patent. Therefore, no one can break their security. It would be illegal.
I'm convinced.
The comment "For someone to be able to surreptitiously read a card, they'd have to get within two or three inches and get into the same plane as the card," by Kathleen Carroll, a spokeswoman for HID's Government Relations. Thats not hard to do at all in the federal world. Ride the metro around 7:30 on a weekday and almost every person on it has a proximity badge around their neck or on the belt along with their ID badge. Its like showing the world your cool that you work at the agriculture department or something. But I've seen everything from State Department badges, treasury, and justice department badges on full display on super crowded metro trains.
Security is constant vigilence. Certain tools come in handy, but they are not by themselves security. Security is either part of your corporate culture and SOP, or it is not. You can't buy something and tack it on to make your business secure. The sooner PHBs learn this, the sooner we can get past all this nonsense.
Insisting on "correct" English is like saying that there is only one, definitive recipe for chili.
From TFA:
> HID has sent a letter to IOActive, a security consulting firm, accusing Chris Paget, IOActive's
> director of research and development, of possible patent infringement over a planned presentation,
> "RFID for beginners," on Wednesday, a move that could lead to legal action should the talk go
> forward, according to Jeff Moss, founder and director of Black Hat.
I, for one, take comfort in the fact that HID Corp can sue anyone that breaks into my workplace after cloning my security card.
until you stop the toy when the door lock clicks.
countermeasures: use longer ident numbers when programming the things. put a GOOD camera above the door or use an IR detector and if somebody stays at the door for a minute, the guard should use the intercom and ask them if they want to sleep in another doorway, or if they need to talk to a sheriff's deputy.
moral: relying on any one layer of security is no security if somebody really wants in. multiple levels and somebody awake someplace who cares will fix every physical penetration attempt except wackos with bulldozers.
if this is supposed to be a new economy, how come they still want my old fashioned money?
From the article: "These systems are installed all over the place. It's not just HID, but lots of companies, and there hasn't been a problem. Now we've got a person who's saying let's get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where's the sense of responsibility?" Carroll said.
This blows me away. Rather than taking the responsibility for having a flawed security system, rather than having the responsibility as a company to say "Hey, yeah we know about this and we are going to fix it after 15 years," the company accuses the security researcher of a lack of responsibility for "revealing" how to exploit these systems. I feel like bizarro world has become the real world when I read these kind of comments.
HID has a patent on breaking and entering? The USPTO has reached a new low. I think I'm going to get a patent on marijuana smoking. Or better, a patent on patenting patents! I'll control the entire patent industry! MWWWWHAHAHA!
Why don't you ever put in a useful subjuct, mouchebag?
Schlage is suing the makers of lockpick tools for patent infringement!
http://www.immuneid.com/ Immune ID works in a very simple, safe and practical way. With Immune ID on documents, credit cards and credentials, the identification device on them will always remain deactivated unless the user activates them through physical touch. Without human contact, any reading and/or writing attempt will fail. Thus, your information is protected from harmful use. The user will also have a visual and/or audio confirmation included in the device*. Immune ID is an innovative protection system for all electronic documents using technologies such as RFID, Rubee, Smart Dots, EAS, etc.: passports, credit cards, driving licenses, access cards, etc. Immune ID eliminates the risk of having all your important and personal information broadcasted on public air, at the reach of anyone who may want to duplicate, steal, modify or use it in dangerous and harmful ways. Immune ID is the best solution for those who want to ensure themselves a safer and protected life.
"Black Hat's Jeff Moss says they're standing by their speaker."
You go DT, I mean, um, Jeff.
I thought you had to actually make something in order to infringe a patent. And patents, by definition, are public knowledge. If I stand up and read your patent to a crowd, how can you sue me?
Nearly every HID card out there is passive and will give anyone that passes the right kind of reader in front of it the numbers on the card. I'm not sure why this warrants its own talk or is viewed as a "breakthrough" of any kind.
I'm not smart enough to do it, but a very interesting project for those with the talent would be building a hardware device to spoof cards and brute force access control systems like most parking structures and numerous physical building access control systems. I'm not aware of any brute force detectors in those access control systems.
This is the tip of the proverbial iceberg for HID's (in)security. Though, most people who bought the systems had more secure options, they chose the least secure. It's hard to blame HID.
What amazes me is someone at HID has to pretend this is some kind of serious compromise. They probably sleep just fine after spending their workday spreading lies too. Sometimes I wish I could do that. I could make a heck of a lot more money lying.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
A true blackhat wouldn't exactly demonstrate or publicise the flaws of existing RFID, now would he? He would be out there evangelizing the faulty products so as to enlarge his playing field :)
White-Whitehat, Black-Whitehat, White-Blackhat, Black-Blackhat... it used to be simple...
It may prevent the "stealing credentials on the metro" scenario, but does jack all against passive sniffing of a legitimate use. If it's being broadcast via any kind of radio carrier wave, it can be sniffed. The only way to have secure access cards is via physical contact (swipe, smart card, etc).
Oh, and BTW, ImmuneID's website sucks. It's pure flash and resizes my browser. On that basis alone I would not buy your product nor recommend it to any of my customers.
Dude, the hat was on the doorknob. You know that means you can't come in. I'm gonna sue you for infringing on my patented hat security system and making me go limp.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
If you base your security model singularly around patents instead of proper implementation, then there is something wrong with your security model.
I don't see how HID is planning on getting around the education & research exemption in the patent process.
(No thoughts about what it might do to their customer's profits after a few break-ins.)
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
The article and this guy on the video seem to be confusing RFID and Proximity (125khz).
/= Proximity
Its really odd to hear them mention you'd need to bring the card up to 2-3 inches to the reader, when they keep talking about RFID.
Its clearly proximity.
Also the fool on the video mentions this as if its new, numerous websites mention how to do this and have for years.
Proximity has its draw backs and EVERYONE knows this.
Which is why HID HAS addressed it with new products. HID iClass readers. 13.56mhz, with Encryption between the card and the reader. After 2 roll-overs of public to private encryption keys, you no longer can just read the card with any reader you actually need to know the private key.
So:
RFID not what they are talking about.
RFID
RFID should not be used for access control (unlocking doors from 5 feet a way... seriously...)
Proximity vulnerable (nothing new)
HID iClass (13.56mhz proximity with Encryption) HID has a solution (makes me wonder why they never mention it though...)
Disclaimer: I don't work for HID, but I'm a Sales Engineer for an Access Control company and we use HID readers or our own which are also Proximity.
From TFA:
> Kathleen Carroll, a spokeswoman for HID's Government Relations group acknowledged that a letter was sent to IOActive but that it did not mention patent infringement. She said that the company has long been aware that its proximity cards are vulnerable to hacking but does not believe that the cards are as vulnerable as Paget suggests.
> "For someone to be able to surreptitiously read a card, they'd have to get within two or three inches and get into the same plane as the card," Carroll said.
Oh, do you mean like placing a reader under a seat at the bus station? I'm pretty sure that my ass is in the same plane as the seat and my wallet is right there too.
Why can't companies whose job is security do security right?
-K
Apparently the "major upheaval" necessary to bring their product's security up to snuff is less desirable than the "major upheaval" that would occur if the currently poor security were exploited in a headline-grabbing, stock-price-swatting incident. Perhaps their risk-analysis number-crunchings have been tainted by oh...I dunno, smoking crack?
I was going to comment on the same excerpt you chose -- because I felt the same sense of "umm, is it backwards day today?" Luckily for me, there was more than enough "backwards speak" to quote!
Slashdot? Oh, I just read it for the articles.
The BlackHat speaker isn't presenting it as new...what he *is* doing, though, is giving away schematics to build devices to do the reading and cloning. That's what's getting HID's attention. Lots of people knew you could do this...not so many had a clear schematic & parts list to actually go *do* it.
mod that up, Informative
.... More detail here:
+ badge+risks+nixed/2100-1029_3-6162547.html?tag=nef d.top
http://news.com.com/Black+Hat+talk+on+RFID+access
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
I may be wrong in assuming this, but it seems likely that the security system would detect a brute force attempt pretty quickly.
Even if it doesn't, halfway competent security staff would notice the attempt right away. One of the guys here showed me how their monitoring system works once - any time someone uses an invalid card (whether it's deactivated or just doesn't have access to that door) or the door is held open too long, or anything else out of the ordinary happens, the security cameras take snapshots of the whole area around the door. The events are very visibly highlighted in the monitoring console as well, if no one happens to be paying attention at the time.
Yes, you could also disable the cameras in some way, but my point is that there's no really covert way to do it.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
http://www.pcworld.com/article/id,120292-page,1/ar ticle.html
From article: "Texas Instruments, a major manufacturer of RFID chips, confirmed that a properly designed cover could block the RFID signal.
'Stitching a metal web into the cover creates a Faraday cage,' says V.C. Kumar, manager for emerging markets at TI. 'It kills the RFID signal.'"
I'm no expert on the things, so defer to others on if the presentation addresses this suggested solution or not.
Didn't you hear? ImmuneID prevents terrorism and "any possible threat"!
http://outcampaign.org/
You hate when websites resize your browser too? Who doesn't? I'm not sure how to accomplish this through any other browser, but through Firefox, you can go into about:config, type dom.disable_window in the filter, and set all of those to true. doesn't change the fact that the site is evil for trying to resize my window, and in some cases, remove my address bar etc...
"I don't like it when really big companies throw their weight around," Jeff Moss, founder of Black Hat conferences, said on the Tuesday conference call. "This threatens the whole conference business."
What are you thinking, Jeff?
In 2005, you canceled a presentation because you received a legal threat from Cisco. You demonstrated to any company out there, that if they don't want a presentation to happen, all they need to do is send a scary warning on some official letterhead, and Black Hat will cancel the presentation.
And now you realize that this threatens the whole conference?
which is why my outfit is always cautioning workers to avoid "riders," don't let anybody pretend to be your shadow flitting by as the door closes... unless you see their badge.
"hey, pard, where's your badge today?" costs nothing. adds 60,000 security persons to the force. even if half of them are just going through the motions day in and day out, it can stop a lot of riders.
if this is supposed to be a new economy, how come they still want my old fashioned money?
We're able to make copies of keys, yet they're still widely used as "security" measures in offices worldwide. Why is this any different? I've always been taught that a successful Security strategy is comprised of the 3 concepts:
What you have - your ID badge/card
What you know - the PIN associated with that card
Who you are - a fingerprint/retinal scan/etc to be used with that card
The point is, ok, someone figured out how to easily clone RFID enabled "access cards". Is it the manufacturer's fault that many places rely SOLELY on those badges for their perimiter/access control? If your facility is truly "secure", there should be at LEAST the requirement of a PIN typed in along with a card swipe as well as cameras, physical security, and other standard procedures. If your facility's management has opted to rely on the cards as the only means of controlling who enters and when, then blame that same management if a problem happens. The term "security" is very subjective. What might pass for your average office building would never pass at a serious Datacenter or other Critical Facility.
This line of thinking truly baffles me...
TFA: "HID is [...] concerned that Paget's demonstration will popularize the vulnerabilities in its proximity cards and endanger its many customers."
Moss: "They've known about this for years and years."
Carroll: "Some of these cards have been around for 15 years and were developed when there was no awareness of the problem."
TFA: "Asked why HID hasn't addressed the issue in more recent proximity card systems, after knowledge of RFID threats became common, Carroll said that doing so would cause 'major upheaval' among customers."
Essentially, they are saying that if the companies that use the cards knows about any flaws, they will become less secure-- because the "bad guys" won't know about the flaws beforehand. Ummmm, no. Obscurity does not work and can not work for security. Security is a moving target-- good security require constant updating and vigilance, because old security will always be broken, even if "obscure". Because "bad guys" will usually break a security device long before a customer of the device will (assuming the customer _can_ or even _tries_ to break the security device), the sellers of these devices must: (1) constantly create replacements, better devices, better methods; (2) inform their customers of known flaws so that they have a chance to be informed before or at the same time as the "bad guys" and do something about it.
I don't understand HID's attitude or any security-centric company's attitude. Here's a ludicrous example. A man has a neighbor who lives along. One day the man notices as the neighbor leaves that he didn't lock his door, so the man calls out to him, "Hey, you forgot to lock your door!" Well, the neighbor becomes absolutely furious. "How dare you," he fumes. "I will sue you out of existence! I will have the police lock you up for good!" The man, taken aback says, "I don't understand. I just wanted to tell you about your door. I don't want your house to be burglarized. I'm trying to help." Huffing and puffing, the neighbor drying retorts, "Didn't you know? I never lock my door. I've never be robbed. However, now that you've yelled it out loud, all the criminals in our neighborhood know. They now know they _can_ rob me. You've compromised the security of my house!" This is how I see these kind of companies currently. The neighbor in this story assumes that no one would ever try opening the door if its closed until someone says it out loud, which is, IMHO, a very poor excuse. Also, why not try something better? Why not lock the door thusly improving the security of the house? Because then the neighbor's brother in the next town will then be upset that criminals now know about this door opening tactic, and his house's security will be compromised for he never locked his door either? *Sigh*
While I'm on a rant. What's the deal with patent infringement charge? As I understand it, a patent is a process that is filed on PUBLIC record and then granted temporary exclusive rights on sales. So, anyone may read it. Anyone may build what it describes. But no one may sell what they make. Sooooo, what is this presenter "selling" that infringes upon HID's patent. Isn't Paget simply stating public information? Even if he mentions things IN the patent, it is _still_ PUBLIC INFORMATION. Considering that HID doesn't want to elaborate on the infringement accusations, I think it's an empty threat. (What scares me is that due to the current state of the legal system, an empty threat can sometimes be as damaging as a real threat in the long run.)
Peace out.
--Dave Romig, Jr.
Can't he give the original filer the credit for "Prior Art" or, File a "New Patent" on the "HACK"? Plainly outlined, demonstrated and documented, hold a press conference to describe in detail the application filing and be done with it?
Oh the fun of defending free speech!
There are only two steps in the gathering of ultimate knowledge. Open your eyes and, RTFM!
That is not irony.
The work of computer security professionals to reveal RFID vulnerabilities is integral to ensuring that the privacy, personal security, and public safety of millions of Americans are properly safeguarded.
With the Department of Homeland Security expected to release the Real ID regulations very soon and dictate what type of machine readable technology will be in every drivers' license and whether it will contain RFID chips, and the Department of State starting to roll out RFID-embedded passports, it is particularly important that the government and the public have all the information about RFID technology and understand that the use of RFID technology without proper protections can seriously threaten privacy, personal security, and public safety.
Lots more info about this story and RFID vulnerabilities at www.aclunc.org/techblog
OK, I know nothing about these systems so I'm going to ask a stupid question. The very first time I ever saw an access control that opened a door lock when a card-bearer approached was in the giant Compaq retail/factory warehouse clearance outlet in Houston, more than a decade ago. (Great place. Old stock, reconditioned stuff, and odds 'n ends out the ying-yang, all at firesale prices and the staff actually worked for Compaq, meaning they knew what they were doing.) That system opened the door between the public space and the employee offices whenever an employee got within 10-12 feet of it. The door in question was at the end of a short hall that you had to traverse to get to the public restrooms. Whenever any employee set foot into that hall, there was a big *Klunk* as the door unlocked. They unlocked the door even when they were just going to the bathroom. I think the system was prototypical and it certainly had problems, but I was always fascinated by it.
What sort of access control tech would open locks from that sort of distance?
I thought when reading this, that it was some kind of bad typo or misprint, then I looked up to see if posit was really a word.
Turns out it was. Geez...learn something new every day, even on /.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Sure, you could make this a lot more secure, but it's not any worse than regular locks. It's basically the same as regular locks but with easy revocation.
And with a huge false sense of security. Oh, and it costs a lot more.
So, exactly what's the benefit again? Aside from the fact that employees can act all cool, by waving their badges at a sensor instead of sticking a metal piece in the door?
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Cameras are only good if you are in range of the cameras. Anyone with an antenna with a decent gain can break at least a front door (I don't know if they give off any sort of confirmation other than an LED) reader without much personal risk.
Clones are people two.
...this still makes HID look bad. You can do this with their equipment... they don't care that one of their products is fundamentally flawed, they only care that people (users and crooks alike) buy their equipment and not a knock-off.
What does ImmuneID get you, that taking a conventional RFID card and putting it into a metallic badge holder wouldn't?
It seems like it's major feature is a 'safety' that keeps it from broadcasting or receiving, unless activated by skin contact. In other words, an on/off switch. Not a bad idea, but you could just as easily take a regular passive card, and put it into a metal case, and then take it out when it needs to be used.
Many people keep their cards in carrier-cases anyway (because they need to be removed to access magnetic strips that are also on them, or SmartCard contact pads, or because they want to put the card on a keychain or neck strap and can't punch holes in it), so all that needs to happen is these cases need to be made RF-tight.
Some other RFID devices -- like the EZ-Pass transponders used on highways -- come to the customer inside conductive, anti-static plastic bags. I'm not sure if they're effective enough to prevent 'subway cloning,' but it seems like a suitable conductive plastic could be developed pretty quickly if they're not.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
They don't actually say much about how it works, and their assertion that passports "broadcast" your data and (I love this part) position such that it's readable by satellites is beyond ludicrous. Scaremongering without content. I too dislike their flash-only site, and they can't spell either (check the pdf).
Can someone explain to me what a patent on the technology has to do with a presentation? Patents are, by definition, public material. They are supposed to describe some device and in exchange for making that information public the government grants the holder certain rights for a limited period of time. Making it public does not mean that it is public domain in the sense that it is free for the public to use, rather that the information about the device is public. So, how could talking about a patent be a breach of patent laws? If they were selling a device that was based on patent protected designs, then that's one thing. But TALKING about a product doesn't seem like it should be covered under patent law. If it were a trade secret, or the presenter was reading directly from a copyrighted work then that's something else, but a presentation on a patented product???
I'm obviously not a lawyer, edumacate me.
Paraphrased:
Wear badge between neck and waist level at all times when on premises.
Put card away when off-base.
Never use card as a civilian-side ID.
Spent 5 years living this.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
This is an ancient security problem, spoofing the card response is pretty trivial. You can hear it on a Shady O'Rack shortwave radio. I showed this to an employer who was installing the cards, and they went ahead and installed them anyway.
The thing is, you don't even need the hardware. All you need is a reader to read the number of the card, which you can do through a pocket, and get the 36 bit number. Then you can just ORDER a card or keyfob on line! You can't do that with a brass key, a legit locksmith won't sell it to you unless you have the original.
But a prox card is not a brass key. It is MUCH EASIER to get into a prox building than a brass key building!
Stopping the talk does *NOT* solve the problem. HID and their parent company, Assa Abloy, are fleecing their shareholders by sweeping this under the rug. They have to solve it before it puts them out of business.
When this eventually hits the mainstream media, and their stock goes to hell, their shareholders will have a good case, assuming there's anything left to take.
In fairness, it's part of a compatibility chain that goes back before microcontrollers. 'Weigand' cards allowed digital swipe cards that had no internal microcontroller in the card, or the reader. This was huge back before microcontrollers were affordable. It was also very hard to fake a weigand card. HID prox cards descended from these and maintained compatibility with the old systems. Most of their readers still support weigand and can replace the old readers.
It is time for them to break the chain and only offer challenge/response products from now on. The world has grown up, and anything less is not responsible. Also, when the story breaks they can say 'Oh, those are our old, discontinued products.' and turn it into a sales opportunity.
=Rich
That wasn't grammar.
I'll tell you what's ironic. Rebar!
Can you be Even More Awesome?!
This is some of the most contemptible saber-rattling -- and caving -- I've seen this year.
This is not my sandwich.
I guess its time to retaliate, just release the code and the exploit to the world, anonymously of course.
Take the bastards down, and anyone else who waves an attorney as an attempt to restrict knowledge.
---- Booth was a patriot ----
The problem seems to be with the conference people. If everyone had kept their trap shut, then HID (and the world) would've found out AFTER it occurred. Good luck stopping that, then. This is a "Black Hat Presentation", after all - so why are they passing out notes beforehand? Are they _trying_ to get it shut down?
And that's none of the Grammar Police's business.
Make it a point to have your meeting in another country. Preferably one that does not recognize absurd IP law. At the very least put a hood on the guy and don't give his name out, and then put him in front of a remote camera. Anything is better than caving to a bunch of industry thugs. If you're going to call yourselves "black hat", then grow some balls. Otherwise change your name to "Pink Easter Bonnet" or something more fitting your disposition.
What?
Hmmm... opening doors from a mile away, what fun could that be!
Hallo Martin, dachte mir schon, dass du dich mal googeln würdest :-)
to be there, I would find a copy of the pages taken from the handout, hit up a kinkos with about $300 and recruit a swarm of volunteers to run around the conference like paperboys, handing out flyers and setting out stacks of them at every bench.
And the last page would have a "you're number one" on the bottom.
I work for the Department of Redundancy Department.
Read the full comments made by the Nicole Ozer, Technology and Civil Liberties Policy Director ACLU of Northern California, on her blog here: http://www.aclunc.org/issues/technology/bytes_and_ pieces/blackhat_presenters_threatened_with_patent_ suit_for_exposing_rfid_vulnerabilities.shtml
It's a painful thing to have your deficiencies exposed in public.
However, the RIGHT thing would have been to engage those people and see what could be improved. The WRONG thing to do is to abuse the legal system to prevent a public presentation - it simply draws more attention to the flaws and, more importantly, it offers a crystal clear illustration of the companies' attitude to a breach: they run away.
Or, let me translate this: their action spells in bright letters not to even THINK of relying on HID to help you if the system is breached, and product improvement also seems wishful thinking.
With that attitude they're off my books - and thus of the clients I advise.
Simple..
Insert
IANAL, but patents are supposed to be "public knowledge". So someone who builds a machine based on my patent has done nothing If he tells someone about it, nothing wrong. If he improves on it, nothing wrong. Now, if he sells the improved machine, he will first need to negotiate a licence for the patented technology.
In short, I don't think you can prevent someone from giving a talk about your patented technology.
Thanks for the info. I'm not sure why I find this so fascinating.
Still, the system could not have been motion or heat activated. The locks didn't open when a customer entered the hallway on the way to the restroom; they only opened for employees (who were all wearing badges, so I assumed that had something to do with it).
Thanks again.
Why should companies put effort into fixing their product when they can just suppress the information with a well-aimed legal threat? This will ensure that no one else will be able to get their hands on this very sensitive information, since the only place it could possibly be distributed is at Black Hat. Well done, HID Corp.
When a company like HID gets this jumpy it seems to me that they are hiding something. Perhaps there is a security flaw in their active cards: perhaps the crypto-algorithm is incorrectly implemented, perhaps the private key is the same for all cards at a site or perhaps the algorithm is crap (xor!) in a lower priced product. It is cause for investigation, no?