New Controversy over Black Hat Presentation

← Back to Stories (view on slashdot.org)

New Controversy over Black Hat Presentation

Posted by Zonk on Tuesday February 27, 2007 @05:07AM from the black-hat-on-a-white-field dept.

uniquebydegrees writes "InfoWorld is reporting about a new controversy swirling around a planned presentation at Black Hat Federal in Washington D.C. this week. Security researcher Chris Paget of IOActive will demo an RFID hacking tool that can crack HID brand door access cards. HID Corp., which makes the cards, is miffed and is accusing IOActive of patent infringement over the presentation, recalling the legal wrangling over Michael Lynn's presentation of a Cisco IOS hole at Black Hat in 2005. Black Hat's Jeff Moss says they're standing by their speaker. A news conference is scheduled for tomorrow AM." Update: 02/27 20:10 GMT by Z :InfoWorldMike wrote with a link to story saying that the presentation has been pulled from the slate for Black Hat, as a result of this pressure.

14 of 144 comments (clear)

Min score:

Reason:

Sort:

Ooh! Ooh! by Kingrames · 2007-02-27 05:08 · Score: 4, Funny

Hat Fight!

--
If you can read this, I forgot to post anonymously.
In other words... by Anonymous Coward · 2007-02-27 05:15 · Score: 5, Informative

"Your door is secure because bad guys would have to infringe on our patents to open it!"
Patent = No Hacking by Cassini2 · 2007-02-27 05:15 · Score: 4, Funny

They have a patent. Therefore, no one can break their security. It would be illegal.

I'm convinced.
1. Re:Patent = No Hacking by physicsboy500 · 2007-02-27 05:31 · Score: 4, Funny
  
  They have a patent. Therefore, no one can break their security. It would be illegal.
  
  It's also ironic that the US Patent & Trademark Office uses HID cards on their doors...
  
  A circular protection that can not be broken
  
  --
  The original generic sig.
HID has its head in the sand by doroshjt · 2007-02-27 05:18 · Score: 5, Interesting

The comment "For someone to be able to surreptitiously read a card, they'd have to get within two or three inches and get into the same plane as the card," by Kathleen Carroll, a spokeswoman for HID's Government Relations. Thats not hard to do at all in the federal world. Ride the metro around 7:30 on a weekday and almost every person on it has a proximity badge around their neck or on the belt along with their ID badge. Its like showing the world your cool that you work at the agriculture department or something. But I've seen everything from State Department badges, treasury, and justice department badges on full display on super crowded metro trains.
1. Re:HID has its head in the sand by dgatwood · 2007-02-27 07:27 · Score: 4, Insightful
  
  You know, in fifteen years of carrying a credit card, I have never had one fail. The high-coercivity mag stripe cards are darn near indestructible. By contrast, the low-coercivity cards that they use at some hotels... I've had them just suddenly fail on the third or fourth use and have to be reprogrammed multiple times in a single night (and about the fifth time I had the same card reprogrammed, they tossed it in a trash can and programmed a fresh one for me, which never failed again).
  
  Put simply, low-coercivity cards suck, but high-coercivity cards are pretty solid. Just don't cut corners on your card programmers and you'll be fine.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
Security through Risibility? by Odiumjunkie · 2007-02-27 05:23 · Score: 5, Funny

From TFA:

> HID has sent a letter to IOActive, a security consulting firm, accusing Chris Paget, IOActive's
> director of research and development, of possible patent infringement over a planned presentation,
> "RFID for beginners," on Wednesday, a move that could lead to legal action should the talk go
> forward, according to Jeff Moss, founder and director of Black Hat.

I, for one, take comfort in the fact that HID Corp can sue anyone that breaks into my workplace after cloning my security card.
Responsibility? by Diluted · 2007-02-27 05:24 · Score: 5, Insightful

From the article: "These systems are installed all over the place. It's not just HID, but lots of companies, and there hasn't been a problem. Now we've got a person who's saying let's get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where's the sense of responsibility?" Carroll said.
This blows me away. Rather than taking the responsibility for having a flawed security system, rather than having the responsibility as a company to say "Hey, yeah we know about this and we are going to fix it after 15 years," the company accuses the security researcher of a lack of responsibility for "revealing" how to exploit these systems. I feel like bizarro world has become the real world when I read these kind of comments.
Re:What hack? by Lumpy · 2007-02-27 05:38 · Score: 5, Interesting

also how is it new? I did this 2 years ago with a kit I bought off the net. It will read a prox card and clone it. I scared the crap out of the Director of security into actually enforcing security policy after demonstrating how his "uncrackable" card access security was incredibly easy to get by.

--
Do not look at laser with remaining good eye.
Litigation vs. Inteligent Implementation by Tomis · 2007-02-27 06:05 · Score: 5, Insightful

If you base your security model singularly around patents instead of proper implementation, then there is something wrong with your security model.
Proximity vs RFID by cbeaudry · 2007-02-27 06:16 · Score: 5, Informative

The article and this guy on the video seem to be confusing RFID and Proximity (125khz).

Its really odd to hear them mention you'd need to bring the card up to 2-3 inches to the reader, when they keep talking about RFID.
Its clearly proximity.

Also the fool on the video mentions this as if its new, numerous websites mention how to do this and have for years.

Proximity has its draw backs and EVERYONE knows this.

Which is why HID HAS addressed it with new products. HID iClass readers. 13.56mhz, with Encryption between the card and the reader. After 2 roll-overs of public to private encryption keys, you no longer can just read the card with any reader you actually need to know the private key.

So:

RFID not what they are talking about.
RFID /= Proximity
RFID should not be used for access control (unlocking doors from 5 feet a way... seriously...)
Proximity vulnerable (nothing new)
HID iClass (13.56mhz proximity with Encryption) HID has a solution (makes me wonder why they never mention it though...)

Disclaimer: I don't work for HID, but I'm a Sales Engineer for an Access Control company and we use HID readers or our own which are also Proximity.
Re:What hack? by peacefinder · 2007-02-27 06:18 · Score: 4, Interesting

Basic HID Prox cards just report a serial number. HID also makes a version that has some cryptographic component, called iClass. When I spec'd a security system last year, I insisted on crypto-enabled cards and readers. (We ended up with HID's iClass.)

If this is just a tool to clone HID Prox cards, then it's nothing new... but it'll make me look good to my boss. (Sweet!)

If it's a tool to spoof iClass readers then it's new, a pretty big deal, and I just wasted a few thousand bucks. (Boo!)

--
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
Re:What hack? 100% Right by gclef · 2007-02-27 06:22 · Score: 4, Informative

The BlackHat speaker isn't presenting it as new...what he *is* doing, though, is giving away schematics to build devices to do the reading and cloning. That's what's getting HID's attention. Lots of people knew you could do this...not so many had a clear schematic & parts list to actually go *do* it.
The demo is cancelled.... by 8127972 · 2007-02-27 06:25 · Score: 4, Informative

.... More detail here:

http://news.com.com/Black+Hat+talk+on+RFID+access+ badge+risks+nixed/2100-1029_3-6162547.html?tag=nef d.top

--
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.