Security Company Tries To Hide Flaws By Threatening Infringement Suit

An anonymous reader writes: An RFID-based access control system called IClass is used across the globe to provide physical access controls. This system relies on cryptography to secure communications between a tag and a reader. Since 2010, several academic papers have been released which expose the cryptographic insecurity of the IClass system. Based on these papers, Martin Holst Swende implemented the IClass ciphers in a software library, which he released under the GNU General Public License.

The library is useful to experiment with and determine the security level of an access control system (that you own or have explicit consent to study). However, last Friday, Swende received an email from INSIDE Secure, which notified him of (potential) intellectual property infringement, warning him off distributing the library under threat of "infringement action." Interestingly, it seems this is not the first time HID Global has exerted legal pressure to suppress information.

Oh, another one

[roman_mir]

IClass, meet Barbara.

No secret memory in his implementation

[dutchwhizzman]

His implementation only uses non-secret memory and should therefor be safe from these patents. The patents described here rely on the contents of the memory of the contraptions to be "secret" to make the process "secure".

You could even say that the original implementation by INSIDE secure doesn't follow the patent since obviously, the memory content isn't that "secret" anymore.

Re:If you can't do, sue!

[fuzzyfuzzyfungus]

Most of the world knows that security is fleeting, and those that deepend on the law to preserve obscurity is the fleetingness of all. Do they not even consider that citizens of nations that don't give a shit about legal protections are the very people their customers need to be protected against? These companies should be paying rewards to anyone who can defeat their protections, not punishing them.

Aside from pure cultural dysfunction (of the sort that causes even some software companies to threaten the people who do free security testing for them, and even offer them time to fix bugs before releasing the proof of concept), the issue is that HID and friends are closer to locksmiths than to software companies.

RFID (and non-standardized but conceptually similar contactless short range RF fobs and slightly longer range button-cell-powered keyless entry systems) tends to be painfully computationally limited, since the tags need to be cheap and need to work on a tiny power budget. The older ones are even worse, of course, since they had less efficient silicon fabrication options to work with. For the same reason, such devices aren't usually little microcontrollers with flashable software; but mostly or entirely fixed-function implementations of crap proprietary crypto systems. Depending on when the corresponding card readers and access control stuff was installed, and what the customer picked, those parts of the system may also be hard to upgrade without ripping them out and replacing them(and, since this is a physical security issue, the readers are more likely to be embedded in walls/bolted to stuff/otherwise tied down and hardwired, so it won't just be swapping out a bunch of desktops.

Because upgrading in-software/firmware is often difficult or impossible, and upgrading involves ripping out hardware that was supposed to have years of service life, HID and friends really don't want to hear about it. They'd much rather just try to tamp down public awareness of the issue, hope that there are no high-profile breaches of customers capable of suing them, and pretend it isn't a problem until the flawed parts have aged out.

As much as it's a repulsive, dishonest, and definitely-unworthy-of-support-by-the-courts tactic, it must be admitted that plenty of known-broken lock designs continue to more-or-less do their jobs (if attackers are still forcing doors rather than just picking locks, the lock is apparently still effective) for years after their weaknesses become public knowledge, so it is entirely probable that various HID access fobs will quietly age out without any major incidents. No need to threaten the researchers about it, though.

Re:Why do companies insist on producing shit ?

[fuzzyfuzzyfungus]

It's seriously difficult to understand the mindset of the organization and how they came into this. Did they even bother hiring a competent cryptographer when designing their product ? Were they duped by someone they hired and led to design a insecure product ? Or is encrypting an RFID communication a difficult and non-trivial task with no known vetted solution ?

I don't think that the problem is difficult in some fundamental way (the problem of verifying a remote host with asymmetric crypto has been reasonably well explored with SSL/TLS, and an access control system has the advantage of being able to trust only a CA it controls, and the advantage that you need to get physical access to an RFID reader pad to attempt attacks); but there are significant practical challenges.

RFID chips are pretty power constrained, since they only get whatever energy they can scavenge from the reader's RF output; and customers want them to be cheap. The industry also has fairly long product lifecycles (since, once you've put in a zillion card readers and integrated it with all your other building security stuff you don't want to rip it out and upgrade in 2 years).

It isn't so much a 'there is no known cryptographic solution to this problem' issue as a 'Why yes, we still have major customers using the 'security' provided by the lousy proprietary cryptosystem that our engineers were able to cram into a cheap, power-constrained, chip using the fab processes available in the mid to late 90s, and we really don't want to fix that' issue.

Re:they're a french company

[zm]

A French company threatening a Swedish guy with a US law.. Makes perfect sense...

Re:Most hated character flaw

[TheRaven64]

Beer should be served at room temperature (not warm). If it needs to be chilled, which reduces the sensitivity of the tastebuds, then the correct solution is to buy better beer.

Re:If you can't do, sue!

[Lunix+Nutcase]

From the letter, this isn't shooting the messenger so much as normal protection of a proprietary product. If somebody eventually convinces the public that it's insecure, they will deal with that later; maybe they will even have fixed their systems by then. The important thing for now is that whatever systems are out there are all genuinely from INSIDE Secure.

HID fixing the insecurity of their products? Hahahahahahaha. Funniest joke I've heard so far this week.

Re:Patent infringement

[flopsquad]

You only quoted claims 1 and 8. It's only infrintement if ALL of the claims apply. If 2-7 don't apply, then it's not infrintement. Period.

That is patently false (zing!). You do not have to infringe every claim, a single claim is all you need. In order to "infringe a patent" (not actually a thing), what you're really saying is that every element and limitation of a single claim is being practiced by the infringing device/activity.

If Claim 1 has elements A, B, and C, and limitation L, the competitor's device must contain at least A+B+C-L to infringe. It doesn't matter at all that Claim 2 recites A, B, C, and D with limitations L and M.