New Controversy over Black Hat Presentation

uniquebydegrees writes "InfoWorld is reporting about a new controversy swirling around a planned presentation at Black Hat Federal in Washington D.C. this week. Security researcher Chris Paget of IOActive will demo an RFID hacking tool that can crack HID brand door access cards. HID Corp., which makes the cards, is miffed and is accusing IOActive of patent infringement over the presentation, recalling the legal wrangling over Michael Lynn's presentation of a Cisco IOS hole at Black Hat in 2005. Black Hat's Jeff Moss says they're standing by their speaker. A news conference is scheduled for tomorrow AM." Update: 02/27 20:10 GMT by Z :InfoWorldMike wrote with a link to story saying that the presentation has been pulled from the slate for Black Hat, as a result of this pressure.

In other words...

"Your door is secure because bad guys would have to infringe on our patents to open it!"

Proximity vs RFID

[cbeaudry]

The article and this guy on the video seem to be confusing RFID and Proximity (125khz).

Its really odd to hear them mention you'd need to bring the card up to 2-3 inches to the reader, when they keep talking about RFID.
Its clearly proximity.

Also the fool on the video mentions this as if its new, numerous websites mention how to do this and have for years.

Proximity has its draw backs and EVERYONE knows this.

Which is why HID HAS addressed it with new products. HID iClass readers. 13.56mhz, with Encryption between the card and the reader. After 2 roll-overs of public to private encryption keys, you no longer can just read the card with any reader you actually need to know the private key.

So:

RFID not what they are talking about.
RFID /= Proximity
RFID should not be used for access control (unlocking doors from 5 feet a way... seriously...)
Proximity vulnerable (nothing new)
HID iClass (13.56mhz proximity with Encryption) HID has a solution (makes me wonder why they never mention it though...)

Disclaimer: I don't work for HID, but I'm a Sales Engineer for an Access Control company and we use HID readers or our own which are also Proximity.

Re:Proximity vs RFID

[cbeaudry]

Maybe my (french canadian) english didint describe well what I meant.

Basicaly, using the iClass readers, there is a basic encryption key between the card and the reader.
Using a special card, a reader can be programmed with a NEW key.
The reader now accepts the old (public key) and new (Private key).

When an old card is presented to such a reader, the cards key changes to the private key after negotiation.
After a while, you reprogram the readers to a SECOND private key.

Now that reader ONLY accepts Private key 1 and Private key 2, no longer accepting cards from a public key,
effectively locking out ALL cards except those with your own private key.

Basic Datasheet here :
http://hidcorp.com/pdfs/products/irg_us.pdf

List of all iClass docs here:
http://hidcorp.com/page.php?page_id=27

Re:What hack? 100% Right

[gclef]

The BlackHat speaker isn't presenting it as new...what he *is* doing, though, is giving away schematics to build devices to do the reading and cloning. That's what's getting HID's attention. Lots of people knew you could do this...not so many had a clear schematic & parts list to actually go *do* it.

The demo is cancelled....

[8127972]

.... More detail here:

http://news.com.com/Black+Hat+talk+on+RFID+access+ badge+risks+nixed/2100-1029_3-6162547.html?tag=nef d.top

RFID should just be PART of Security

[Critical+Facilities]

We're able to make copies of keys, yet they're still widely used as "security" measures in offices worldwide. Why is this any different? I've always been taught that a successful Security strategy is comprised of the 3 concepts:

What you have - your ID badge/card
What you know - the PIN associated with that card
Who you are - a fingerprint/retinal scan/etc to be used with that card

The point is, ok, someone figured out how to easily clone RFID enabled "access cards". Is it the manufacturer's fault that many places rely SOLELY on those badges for their perimiter/access control? If your facility is truly "secure", there should be at LEAST the requirement of a PIN typed in along with a card swipe as well as cameras, physical security, and other standard procedures. If your facility's management has opted to rely on the cards as the only means of controlling who enters and when, then blame that same management if a problem happens. The term "security" is very subjective. What might pass for your average office building would never pass at a serious Datacenter or other Critical Facility.

Re:HID has its head in the sand

[Rick17JJ]

Several companies already make RFID blocking wallets. Presumably something similar could easily be designed for ID badges. I don't know for sure, but the wallets are probably lined in a way to make it act like a Faraday cage. Here are examples of RFID blocking wallets:

• RFID Blocking Wallet
• Stainless Steel Wallets

How does this infringe?

[theonetruekeebler]

How can a presentation on a patented technology possibly infringe on the patent? A patent is already published information. Theirs are published here and here. If you don't want information about your system known to the public, you don't get a patent.

This is some of the most contemptible saber-rattling -- and caving -- I've seen this year.

Re:What hack?

[Sproggit]

Because of the parents usage of the (simplistic) 3 methods of authentication.
Clearly someone got their Security+ cert recently.

Something you know
Would be the PIN

Something you have
Would be the RFID card

Something you are
Is generally a biometric device confirmation

Any one of the above is normally relatively trivial to crack, as you add the others the difficuly goes up exponentially.
The best systems use all 3.

The Sproggg