New Controversy over Black Hat Presentation

uniquebydegrees writes "InfoWorld is reporting about a new controversy swirling around a planned presentation at Black Hat Federal in Washington D.C. this week. Security researcher Chris Paget of IOActive will demo an RFID hacking tool that can crack HID brand door access cards. HID Corp., which makes the cards, is miffed and is accusing IOActive of patent infringement over the presentation, recalling the legal wrangling over Michael Lynn's presentation of a Cisco IOS hole at Black Hat in 2005. Black Hat's Jeff Moss says they're standing by their speaker. A news conference is scheduled for tomorrow AM." Update: 02/27 20:10 GMT by Z :InfoWorldMike wrote with a link to story saying that the presentation has been pulled from the slate for Black Hat, as a result of this pressure.

What hack?

[Jordan+Catalano]

Aren't HID cards passive? Last I checked, they just reported a serial number.

So what is this "hack"? Recording and replaying the serial is nothing new.

Re:What hack?

[Lumpy]

also how is it new? I did this 2 years ago with a kit I bought off the net. It will read a prox card and clone it. I scared the crap out of the Director of security into actually enforcing security policy after demonstrating how his "uncrackable" card access security was incredibly easy to get by.

Re:What hack?

[peacefinder]

Basic HID Prox cards just report a serial number. HID also makes a version that has some cryptographic component, called iClass. When I spec'd a security system last year, I insisted on crypto-enabled cards and readers. (We ended up with HID's iClass.)

If this is just a tool to clone HID Prox cards, then it's nothing new... but it'll make me look good to my boss. (Sweet!)

If it's a tool to spoof iClass readers then it's new, a pretty big deal, and I just wasted a few thousand bucks. (Boo!)

HID has its head in the sand

[doroshjt]

The comment "For someone to be able to surreptitiously read a card, they'd have to get within two or three inches and get into the same plane as the card," by Kathleen Carroll, a spokeswoman for HID's Government Relations. Thats not hard to do at all in the federal world. Ride the metro around 7:30 on a weekday and almost every person on it has a proximity badge around their neck or on the belt along with their ID badge. Its like showing the world your cool that you work at the agriculture department or something. But I've seen everything from State Department badges, treasury, and justice department badges on full display on super crowded metro trains.

Re:HID has its head in the sand

[Kadin2048]

I think part of the reason for this (besides the obvious penis-length contest, which is definitely true -- IIRC what's important isn't what's printed on the cards so much as the color, e.g. white for USG employees, pink for contractors, etc.) is because you're told in security training to always keep the cards on your person, and not put them in a laptop bag / briefcase / purse. So people keep them hanging near their keys at home and put them on as they're leaving.

You really wouldn't want to encourage people to put them away, because they'd probably put them in purses or briefcases, and lose them, or put them in wallets and get them stolen (or read just as easily), and it would also defeat the physical-security purpose of the cards, which is to act as an ID badge when you're in a secure facility.

I think the solution is just to issue everyone a metallic container, which slips over the card and covers the portion of it that contains the antenna. Maybe you could even design one that would reveal (through a clear front) the name and picture of the bearer, but cover the back of the card and keep it from being read.

Most people keep their access cards in little clear-plastic holders anyway (because the new USG computer systems require you to jack the card into the keyboard in order to log in), so stepping up to some sort of metal one wouldn't be that big a deal, and it would prevent a lot of card-cloning/warscanning attacks.

Re:HID has its head in the sand

[gregmac]

I think the solution is just to issue everyone a metallic container, which slips over the card and covers the portion of it that contains the antenna. Maybe you could even design one that would reveal (through a clear front) the name and picture of the bearer, but cover the back of the card and keep it from being read. How about just use magnetic stripe cards? The only way to read it is to physically slide it through a reader.. if you have to 'open' your RFID card to get the reader to recoginize it, then it's just as simple to slide it through a reader on the wall, but probably much cheaper.

Yes, RFID is cool and all, but in a lot of ways people are using it as solution to a problem that doesn't exist.

They're starting to put it in credit cards, which just makes no sense to me at all. Instead of sliding it through a reader, you just 'tap' it on a pad? Ok, what's the difference, besides the fact that you're forcing merchants to buy new readers? I'm sure there's probably banks out there sticking RFID in bank cards, then advertising "hey, you don't need to swipe OR use a PIN anymore!"...

Re:HID has its head in the sand

[still+cynical]

Magnetic stripes are notoriously fragile and unreliable. Get your card too close to a decent magnet (more common than you think), and it's now unreadable. RFID saves a lot of administrative work in replacing cards that have been demagnetized. It would really suck being on-call and not able to get into our data center. My boss does not want to be woken up at 3am on a holiday weekend because the stripe on my card wore out.

It's common now for cell phone cases to have magnetic flaps on them. The only reason I can keep my work access cards with my phone (harder to forget due to bulk), is they are RFID.

Re:What hack? 100% Right

[mpapet]

Nearly every HID card out there is passive and will give anyone that passes the right kind of reader in front of it the numbers on the card. I'm not sure why this warrants its own talk or is viewed as a "breakthrough" of any kind.

I'm not smart enough to do it, but a very interesting project for those with the talent would be building a hardware device to spoof cards and brute force access control systems like most parking structures and numerous physical building access control systems. I'm not aware of any brute force detectors in those access control systems.

This is the tip of the proverbial iceberg for HID's (in)security. Though, most people who bought the systems had more secure options, they chose the least secure. It's hard to blame HID.

What amazes me is someone at HID has to pretend this is some kind of serious compromise. They probably sleep just fine after spending their workday spreading lies too. Sometimes I wish I could do that. I could make a heck of a lot more money lying.

Re:Security through Risibility?

[Jeff+DeMaagd]

Risibility? Wow, that looks like a pretty obscure word. I don't think I've seen it before, I had to look it up.

Re:I assume it reports random numbers

[SuperBanana]

countermeasures: use longer ident numbers when programming the things.

Or do what the devices already do: have at least a second's worth of delay between them, log invalid access attempts, and have the reader beep each time a card's signal is detected.

Slashdotters tend to be very arrogant about this sort of stuff. Did it occur to you that most of these concerns are obvious, and are both understood by security professionals and have been addressed to some degree?

Example: even if you can clone the card, at most datacenters (for example) you need a keycard AND either a biometric scan or keycode.

Keycards aren't the ultimate security control and never were. Hell, I don't even need a keycard to get to my desk at work; I just walk by with everyone else from the shuttle bus, hop in the elevator at the same time, etc. You don't need to clone cards when you can piggyback off people who have 'em. Of course, I'm recorded on at least 2-3 security cameras entering the building, so if I were not supposed to be there, they'd be able to prove it was me.

Re:Responsibility?

[Schraegstrichpunkt]

It's not the same thing. With Internet-connected servers, anyone who has access to the Internet is a potential attacker, knowledge of a vulnerability (i.e. automated exploit software) can spread extremely quickly, and it's easy to hide behind surrogates (i.e. proxies, botnets, etc). With door locks, the pool of potential attackers is a lot smaller, and the personal risk for an attacker is much greater.

after the building is taken down, that is

[swschrad]

which is why my outfit is always cautioning workers to avoid "riders," don't let anybody pretend to be your shadow flitting by as the door closes... unless you see their badge.

"hey, pard, where's your badge today?" costs nothing. adds 60,000 security persons to the force. even if half of them are just going through the motions day in and day out, it can stop a lot of riders.

Re:The demo is cancelled....

[dean.collins]

i dont know why these companies incorporate in the first place if they are worried about being sued. you incorporate a company for each event with $1 assets and liquidate after each show. big deal. only way to get presentations pulled then is through injunction before the event. Dean