Slashdot Mirror
New Controversy over Black Hat Presentation
uniquebydegrees writes "InfoWorld is reporting about a new controversy swirling around a planned presentation at Black Hat Federal in Washington D.C. this week. Security researcher Chris Paget of IOActive will demo an RFID hacking tool that can crack HID brand door access cards. HID Corp., which makes the cards, is miffed and is accusing IOActive of patent infringement over the presentation, recalling the legal wrangling over Michael Lynn's presentation of a Cisco IOS hole at Black Hat in 2005. Black Hat's Jeff Moss says they're standing by their speaker. A news conference is scheduled for tomorrow AM." Update: 02/27 20:10 GMT by Z :InfoWorldMike wrote with a link to story saying that the presentation has been pulled from the slate for Black Hat, as a result of this pressure.
Hat Fight!
If you can read this, I forgot to post anonymously.
Aren't HID cards passive? Last I checked, they just reported a serial number.
So what is this "hack"? Recording and replaying the serial is nothing new.
"Your door is secure because bad guys would have to infringe on our patents to open it!"
They have a patent. Therefore, no one can break their security. It would be illegal.
I'm convinced.
The comment "For someone to be able to surreptitiously read a card, they'd have to get within two or three inches and get into the same plane as the card," by Kathleen Carroll, a spokeswoman for HID's Government Relations. Thats not hard to do at all in the federal world. Ride the metro around 7:30 on a weekday and almost every person on it has a proximity badge around their neck or on the belt along with their ID badge. Its like showing the world your cool that you work at the agriculture department or something. But I've seen everything from State Department badges, treasury, and justice department badges on full display on super crowded metro trains.
Security is constant vigilence. Certain tools come in handy, but they are not by themselves security. Security is either part of your corporate culture and SOP, or it is not. You can't buy something and tack it on to make your business secure. The sooner PHBs learn this, the sooner we can get past all this nonsense.
Insisting on "correct" English is like saying that there is only one, definitive recipe for chili.
From TFA:
> HID has sent a letter to IOActive, a security consulting firm, accusing Chris Paget, IOActive's
> director of research and development, of possible patent infringement over a planned presentation,
> "RFID for beginners," on Wednesday, a move that could lead to legal action should the talk go
> forward, according to Jeff Moss, founder and director of Black Hat.
I, for one, take comfort in the fact that HID Corp can sue anyone that breaks into my workplace after cloning my security card.
until you stop the toy when the door lock clicks.
countermeasures: use longer ident numbers when programming the things. put a GOOD camera above the door or use an IR detector and if somebody stays at the door for a minute, the guard should use the intercom and ask them if they want to sleep in another doorway, or if they need to talk to a sheriff's deputy.
moral: relying on any one layer of security is no security if somebody really wants in. multiple levels and somebody awake someplace who cares will fix every physical penetration attempt except wackos with bulldozers.
if this is supposed to be a new economy, how come they still want my old fashioned money?
From the article: "These systems are installed all over the place. It's not just HID, but lots of companies, and there hasn't been a problem. Now we've got a person who's saying let's get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where's the sense of responsibility?" Carroll said.
This blows me away. Rather than taking the responsibility for having a flawed security system, rather than having the responsibility as a company to say "Hey, yeah we know about this and we are going to fix it after 15 years," the company accuses the security researcher of a lack of responsibility for "revealing" how to exploit these systems. I feel like bizarro world has become the real world when I read these kind of comments.
Nearly every HID card out there is passive and will give anyone that passes the right kind of reader in front of it the numbers on the card. I'm not sure why this warrants its own talk or is viewed as a "breakthrough" of any kind.
I'm not smart enough to do it, but a very interesting project for those with the talent would be building a hardware device to spoof cards and brute force access control systems like most parking structures and numerous physical building access control systems. I'm not aware of any brute force detectors in those access control systems.
This is the tip of the proverbial iceberg for HID's (in)security. Though, most people who bought the systems had more secure options, they chose the least secure. It's hard to blame HID.
What amazes me is someone at HID has to pretend this is some kind of serious compromise. They probably sleep just fine after spending their workday spreading lies too. Sometimes I wish I could do that. I could make a heck of a lot more money lying.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Dude, the hat was on the doorknob. You know that means you can't come in. I'm gonna sue you for infringing on my patented hat security system and making me go limp.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
If you base your security model singularly around patents instead of proper implementation, then there is something wrong with your security model.
The article and this guy on the video seem to be confusing RFID and Proximity (125khz).
/= Proximity
Its really odd to hear them mention you'd need to bring the card up to 2-3 inches to the reader, when they keep talking about RFID.
Its clearly proximity.
Also the fool on the video mentions this as if its new, numerous websites mention how to do this and have for years.
Proximity has its draw backs and EVERYONE knows this.
Which is why HID HAS addressed it with new products. HID iClass readers. 13.56mhz, with Encryption between the card and the reader. After 2 roll-overs of public to private encryption keys, you no longer can just read the card with any reader you actually need to know the private key.
So:
RFID not what they are talking about.
RFID
RFID should not be used for access control (unlocking doors from 5 feet a way... seriously...)
Proximity vulnerable (nothing new)
HID iClass (13.56mhz proximity with Encryption) HID has a solution (makes me wonder why they never mention it though...)
Disclaimer: I don't work for HID, but I'm a Sales Engineer for an Access Control company and we use HID readers or our own which are also Proximity.
The BlackHat speaker isn't presenting it as new...what he *is* doing, though, is giving away schematics to build devices to do the reading and cloning. That's what's getting HID's attention. Lots of people knew you could do this...not so many had a clear schematic & parts list to actually go *do* it.
.... More detail here:
+ badge+risks+nixed/2100-1029_3-6162547.html?tag=nef d.top
http://news.com.com/Black+Hat+talk+on+RFID+access
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
which is why my outfit is always cautioning workers to avoid "riders," don't let anybody pretend to be your shadow flitting by as the door closes... unless you see their badge.
"hey, pard, where's your badge today?" costs nothing. adds 60,000 security persons to the force. even if half of them are just going through the motions day in and day out, it can stop a lot of riders.
if this is supposed to be a new economy, how come they still want my old fashioned money?
We're able to make copies of keys, yet they're still widely used as "security" measures in offices worldwide. Why is this any different? I've always been taught that a successful Security strategy is comprised of the 3 concepts:
What you have - your ID badge/card
What you know - the PIN associated with that card
Who you are - a fingerprint/retinal scan/etc to be used with that card
The point is, ok, someone figured out how to easily clone RFID enabled "access cards". Is it the manufacturer's fault that many places rely SOLELY on those badges for their perimiter/access control? If your facility is truly "secure", there should be at LEAST the requirement of a PIN typed in along with a card swipe as well as cameras, physical security, and other standard procedures. If your facility's management has opted to rely on the cards as the only means of controlling who enters and when, then blame that same management if a problem happens. The term "security" is very subjective. What might pass for your average office building would never pass at a serious Datacenter or other Critical Facility.
The work of computer security professionals to reveal RFID vulnerabilities is integral to ensuring that the privacy, personal security, and public safety of millions of Americans are properly safeguarded.
With the Department of Homeland Security expected to release the Real ID regulations very soon and dictate what type of machine readable technology will be in every drivers' license and whether it will contain RFID chips, and the Department of State starting to roll out RFID-embedded passports, it is particularly important that the government and the public have all the information about RFID technology and understand that the use of RFID technology without proper protections can seriously threaten privacy, personal security, and public safety.
Lots more info about this story and RFID vulnerabilities at www.aclunc.org/techblog
Sure, you could make this a lot more secure, but it's not any worse than regular locks. It's basically the same as regular locks but with easy revocation.
And with a huge false sense of security. Oh, and it costs a lot more.
So, exactly what's the benefit again? Aside from the fact that employees can act all cool, by waving their badges at a sensor instead of sticking a metal piece in the door?
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Paraphrased:
Wear badge between neck and waist level at all times when on premises.
Put card away when off-base.
Never use card as a civilian-side ID.
Spent 5 years living this.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
This is some of the most contemptible saber-rattling -- and caving -- I've seen this year.
This is not my sandwich.