Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Company Tries To Hide Flaws By Threatening Infringement Suit

Posted by Soulskill on from the because-that-always-ends-well dept.

An anonymous reader writes: An RFID-based access control system called IClass is used across the globe to provide physical access controls. This system relies on cryptography to secure communications between a tag and a reader. Since 2010, several academic papers have been released which expose the cryptographic insecurity of the IClass system. Based on these papers, Martin Holst Swende implemented the IClass ciphers in a software library, which he released under the GNU General Public License.

The library is useful to experiment with and determine the security level of an access control system (that you own or have explicit consent to study). However, last Friday, Swende received an email from INSIDE Secure, which notified him of (potential) intellectual property infringement, warning him off distributing the library under threat of "infringement action." Interestingly, it seems this is not the first time HID Global has exerted legal pressure to suppress information.

23 of 124 comments (clear)

  1. Most hated character flaw by Kevin+Fishburne · · Score: 4, Funny

    Nothing worse than a person who always finds a way to blame someone else for their own mistakes, except perhaps cold coffee or warm beer.

    --
    Buy your next Linux PC at eightvirtues.com
    1. Re: Most hated character flaw by Kevin+Fishburne · · Score: 3, Funny

      Good coffee, like Italian espresso, is awesome cold with ice.

      I've heard of such drinks but never tried them. Perhaps on a hot day they'd be both refreshing and invigorating. Down with room-temperature coffee, then. Here's to piping hot or icy cold coffee and cold beer.

      --
      Buy your next Linux PC at eightvirtues.com
    2. Re:Most hated character flaw by TheRaven64 · · Score: 5, Insightful

      Beer should be served at room temperature (not warm). If it needs to be chilled, which reduces the sensitivity of the tastebuds, then the correct solution is to buy better beer.

      --
      I am TheRaven on Soylent News
    3. Re:Most hated character flaw by flopsquad · · Score: 2

      Are we a pommy?** I agree that our "ice cold" light beer stateside is far from the height of brewcraft. But there are very few liquids of any sort that I want to consume at room temperature. Even the best beers could stand to be wine-cellar temperature or a little cooler. Maybe you drink all your beer in a wine cellar, in which case carry on--"room temperature" is correct!


      **No offense meant. It's just a funny term I heard from some Australian friends. You'd do just as well to call me a POGWBABOSS (Prisoner of George W Bush's and Barack Obama's Security State).

      --
      Nothing posted to /. has ever been legal advice, including this.
    4. Re: Most hated character flaw by nedlohs · · Score: 2

      Taste is temperature dependent, and room temperature is the place where it works best (unsurprisingly given that's going to be the temperature of most of the stuff being eaten during its evolution) - coffee has a bunch of bad tasting stuff in it but your taste sensitivity drops off at high and low temperatures. Thus hot coffee or iced coffee is great, but lukewarm coffee is bad.

      http://www.nature.com/nature/j...

  2. Oh, another one by roman_mir · · Score: 5, Insightful

    IClass, meet Barbara.

    --
    You can't handle the truth.
  3. If you can't do, sue! by EzInKy · · Score: 5, Interesting

    Most of the world knows that security is fleeting, and those that deepend on the law to preserve obscurity is the fleetingness of all. Do they not even consider that citizens of nations that don't give a shit about legal protections are the very people their customers need to be protected against? These companies should be paying rewards to anyone who can defeat their protections, not punishing them.

    --
    Time is what keeps everything from happening all at once.
    1. Re:If you can't do, sue! by EzInKy · · Score: 3, Interesting

      Disagree. I just think that anyone who depends on something as esotoric as the law to keep others safe should be held responsible for all others who are damaged by their ignorance.

      --
      Time is what keeps everything from happening all at once.
    2. Re:If you can't do, sue! by fuzzyfuzzyfungus · · Score: 3, Insightful

      Most of the world knows that security is fleeting, and those that deepend on the law to preserve obscurity is the fleetingness of all. Do they not even consider that citizens of nations that don't give a shit about legal protections are the very people their customers need to be protected against? These companies should be paying rewards to anyone who can defeat their protections, not punishing them.

      Aside from pure cultural dysfunction (of the sort that causes even some software companies to threaten the people who do free security testing for them, and even offer them time to fix bugs before releasing the proof of concept), the issue is that HID and friends are closer to locksmiths than to software companies.

      RFID (and non-standardized but conceptually similar contactless short range RF fobs and slightly longer range button-cell-powered keyless entry systems) tends to be painfully computationally limited, since the tags need to be cheap and need to work on a tiny power budget. The older ones are even worse, of course, since they had less efficient silicon fabrication options to work with. For the same reason, such devices aren't usually little microcontrollers with flashable software; but mostly or entirely fixed-function implementations of crap proprietary crypto systems. Depending on when the corresponding card readers and access control stuff was installed, and what the customer picked, those parts of the system may also be hard to upgrade without ripping them out and replacing them(and, since this is a physical security issue, the readers are more likely to be embedded in walls/bolted to stuff/otherwise tied down and hardwired, so it won't just be swapping out a bunch of desktops.

      Because upgrading in-software/firmware is often difficult or impossible, and upgrading involves ripping out hardware that was supposed to have years of service life, HID and friends really don't want to hear about it. They'd much rather just try to tamp down public awareness of the issue, hope that there are no high-profile breaches of customers capable of suing them, and pretend it isn't a problem until the flawed parts have aged out.

      As much as it's a repulsive, dishonest, and definitely-unworthy-of-support-by-the-courts tactic, it must be admitted that plenty of known-broken lock designs continue to more-or-less do their jobs (if attackers are still forcing doors rather than just picking locks, the lock is apparently still effective) for years after their weaknesses become public knowledge, so it is entirely probable that various HID access fobs will quietly age out without any major incidents. No need to threaten the researchers about it, though.

    3. Re:If you can't do, sue! by Another,+completely · · Score: 4, Interesting

      They didn't threaten him for studying the algorithm, the note is about publishing code that implements their proprietary encryption algorithm. It seems more likely that they are worried about a competitor building compatible devices. If they allowed a freely published GPL implementation to be distributed without challenge, somebody might say that was implicitly approving of its distribution and therefore permitting compatible devices to be legally sold that interact with their proprietary system. I'm not sure whether that would hold up in court, but it would certainly drag out the proceedings.

      From the letter, this isn't shooting the messenger so much as normal protection of a proprietary product. If somebody eventually convinces the public that it's insecure, they will deal with that later; maybe they will even have fixed their systems by then. The important thing for now is that whatever systems are out there are all genuinely from INSIDE Secure.

  4. Patent infringement by phantomfive · · Score: 5, Informative
    He is not being threatened for copyright infringement, he's being warned about patent infringement. Here is the link to the patent in question (there's also a European patent). Furthermore, it seems the lawyers have determined that he has not committed infringement himself, but users of his library may use it to infringe. Therefore, the letter does not even threaten any legal action at all. It's just a friendly request.....or as friendly as lawyers ever get.

    Below I will paste the specific patent's independent claims. I don't think this can actually cover generic software written for the PC, because of the 'secret memory' and the fact that they have patented the device implemented in hardware, not a software implementation of the algorithm (and how many computers actually have a pseudo-random shift register?)

    1. Method of producing an authentication code (CA), comprising cycles for reading binary words (Mn) out of a secret memory (21) comprising a plurality of binary words, wherein, at each cycle, the address for reading a word out of the secret memory (21) is generated from an address generating binary word (GA) forming the result of a combination operation (Fc, ) of words (M1 to Mn) read out of the memory during previous cycles, characterised in that it comprises a transform operation of the address generating word (GA) consisting in logically combining at least one bit (g'0, g'1, g'2) of the address generating word (GA) with at least one bit (r1, r4, r6) of a pseudo-random shift register (26).

    8. Logic machine (20, 20-1, 30) clocked by a clock signal (H), comprising a secret memory (21) in which a plurality of binary words read out at clock rate are stored, wherein the output of the memory (21) is applied to a first input (A) of a logic circuit (22) whose output (C) is fed back to the second input (B), the logic circuit (22) performing a combination (Fc, "+") of its two inputs (A, B) and producing an address generating binary word (GA) supplied to the address input (ADR) of the memory, characterised in that it comprises a pseudo-random shift register (26) and logic means (25-1, 27) for combining at least one bit (r1, r4, r6) of the shift register (26) with at least one bit (g'0, g'1, g'2) of the address generating word (GA).

    --
    "First they came for the slanderers and i said nothing."
    1. Re:Patent infringement by flopsquad · · Score: 3, Insightful

      You only quoted claims 1 and 8. It's only infrintement if ALL of the claims apply. If 2-7 don't apply, then it's not infrintement. Period.

      That is patently false (zing!). You do not have to infringe every claim, a single claim is all you need. In order to "infringe a patent" (not actually a thing), what you're really saying is that every element and limitation of a single claim is being practiced by the infringing device/activity.

      If Claim 1 has elements A, B, and C, and limitation L, the competitor's device must contain at least A+B+C-L to infringe. It doesn't matter at all that Claim 2 recites A, B, C, and D with limitations L and M.

      --
      Nothing posted to /. has ever been legal advice, including this.
  5. Is This Infringement? by Strangely+Familiar · · Score: 3, Interesting
    Claim 1 of the patent is pretty long, and the disputed software would have to meet all of the limitations of that claim to infringe.

    Method of producing an authentication code (CA), comprising cycles for reading binary words (Mn) out of a secret memory (21) comprising a plurality of binary words, wherein, at each cycle, the address for reading a word out of the secret memory (21) is generated from an address generating binary word (GA) forming the result of a combination operation (Fc, ) of words (M1 to Mn) read out of the memory during previous cycles, characterised in that it comprises a transform operation of the address generating word (GA) consisting in logically combining at least one bit (g'0, g'1, g'2) of the address generating word (GA) with at least one bit (r1, r4, r6) of a pseudo-random shift register (26).

    Without inspecting the software, and knowing what the HID attorney is asserting, there is no way of forming a legal opinion... and this is in no way a legal opinion, just a recitation of the first patent claim and some questions. But it does look like the method requires using a "pseudo-random shift register" and a "secret memory" among other things. Do the people who are said to infringe actually use this method? Does the code require that such a register and memory be used, or are there ways the code could be used without infringing all of the elements in the claim? Is the target of the letter simply caving to avoid consulting a lawyer?

    --
    Join the IParty!
  6. So... is the LAME strategy valid? by PhrostyMcByte · · Score: 3, Interesting

    Some software projects like LAME, x264, and libav claim to skirt around patent issues by only distributing source code, not binaries. I've always wondered if this is a valid workaround, or just some clever devs getting their hopes up.

  7. Logical by Tablizer · · Score: 3, Funny

    "Being a security company, we wanna keep our mistakes secure."

    --
    Table-ized A.I.
  8. No secret memory in his implementation by dutchwhizzman · · Score: 4, Insightful

    His implementation only uses non-secret memory and should therefor be safe from these patents. The patents described here rely on the contents of the memory of the contraptions to be "secret" to make the process "secure".

    You could even say that the original implementation by INSIDE secure doesn't follow the patent since obviously, the memory content isn't that "secret" anymore.

    --
    I was promised a flying car. Where is my flying car?
  9. I've said that, but Master lock and demolition saw by raymorris · · Score: 5, Interesting

    I've said that same thing before. I happen to BE competent professional in certain security matters, so that affects my point of view.

    On the other hand, the most popular locks, Kwikset and Master lock, are obviously not designed to be secure against a knowledgeable or determined advesary. They are designed to discourage your neighbor from casually getting into your stuff, and that's pretty clear from looking at the product and feeling how lightweight it is. Maybe that's what people want most of the time - a lock sufficient to make it rather inconvenient for the average person to walk in, not something that's going to keep the locksmith out when you lose your key.

    At the other end of the spectrum, for $10,000 you can buy a heavy duty safe made of steel and concrete. For $32, I can rent a demolition saw designed to cut through concrete and steel. Since physical security costs about 300 times as much as breaking it costs, perhaps the primary goal is to not be low-hanging fruit. I've watched a car burglar go from car to car, stealing stuff from the ones that were unlocked. He skipped the locked ones, which all had very breakable windows.*

    * Redundant. Windows is always easily breakable.

  10. they're a french company by sxpert · · Score: 2

    under european law, they have no standing for requesting this sort of code to be removed, as the code was obviously created as a research tool and for interoperability.

    screw those idiots... let's start git cloning the hell of it ;)

  11. Re:IClass? by Jahta · · Score: 4, Funny

    NoClass sounds more like it.

    "When they said you was IClass, well that was just a lie".

    (ducks and runs)

  12. Re:Why do companies insist on producing shit ? by fuzzyfuzzyfungus · · Score: 4, Insightful

    It's seriously difficult to understand the mindset of the organization and how they came into this. Did they even bother hiring a competent cryptographer when designing their product ? Were they duped by someone they hired and led to design a insecure product ? Or is encrypting an RFID communication a difficult and non-trivial task with no known vetted solution ?

    I don't think that the problem is difficult in some fundamental way (the problem of verifying a remote host with asymmetric crypto has been reasonably well explored with SSL/TLS, and an access control system has the advantage of being able to trust only a CA it controls, and the advantage that you need to get physical access to an RFID reader pad to attempt attacks); but there are significant practical challenges.

    RFID chips are pretty power constrained, since they only get whatever energy they can scavenge from the reader's RF output; and customers want them to be cheap. The industry also has fairly long product lifecycles (since, once you've put in a zillion card readers and integrated it with all your other building security stuff you don't want to rip it out and upgrade in 2 years).

    It isn't so much a 'there is no known cryptographic solution to this problem' issue as a 'Why yes, we still have major customers using the 'security' provided by the lousy proprietary cryptosystem that our engineers were able to cram into a cheap, power-constrained, chip using the fab processes available in the mid to late 90s, and we really don't want to fix that' issue.

  13. DeCSS by tepples · · Score: 2

    Can't say I've ever heard of [...] security by litigation.

    Then you weren't around for the DeCSS cases.

  14. Re:I've said that, but Master lock and demolition by NormalVisual · · Score: 2

    The goal of any security measure is to make it easier for someone to break into someone else's property; thus securing yours.

    It's like an implementation of the punchline, "I don't have to run faster than the bear. I just have to run faster than you."

    --
    Please stand clear of the doors, por favor mantenganse alejado de las puertas
  15. If you trip all parts of one claim by tepples · · Score: 2

    Where did you get that interpretation? The way I read patent law, if you trip all the parts of one claim, you infringe the patent. If a claim is dependent ("The device of claim 1, where..."), you have to trip the claim it mentions as well. But you don't have to trip all of them.