X

Nixed: Black Hat talk on RFID access badge risks

Legal threat from HID prompts security researchers to cancel discussion on flaws of radio tag-embedded building access ID cards.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
See full bio
Joris Evers
2 min read
Security researchers have canceled a talk on the flaws of RFID-equipped building access badges after receiving legal threats from a major manufacturer.

Researchers from security services firm IOActive planned to demonstrate that the commonly used identification cards can easily be duplicated, posing a serious risk to those who rely on such systems for security.

The talk, slated for Wednesday at the Black Hat DC Briefings & Training event in Arlington, Va., was canceled Tuesday after IOActive said it received legal threats from HID Global, a major seller of access control systems.

"We can't go forward with the threat of litigation hanging over our small company," Joshua Pennell, IOActive's chief executive, said in a conference call with reporters Tuesday.

HID said in a statement late Tuesday that it did not threaten IOActive to stop its presentation at the Black Hat event.

"HID Global, acting in the best interests of its customers worldwide, simply informed IOActive and its management of the patents that currently protect HID Global intellectual property," the company said.

Additionally, HID said it was surprised that the Black Hat talk was called off and that it was blamed. The company also acknowledged that RFID cards can be cloned.

"It may be possible, under certain conditions, to clone a proximity card," HID said. For added security, use of such cards could be complemented by additional security systems such as cameras and biometrics, it said.

According to IOActive, HID charged that the planned presentation infringed its intellectual property, U.S. patents 5,041,826 and 5,166,676 in particular.

"As a consequence...IOActive has withdrawn its presentation," the company said in a statement on its Web site, declining to give further details about its scrapped conference session.

The concept behind IOActive's presentation is not new. RFID security is regularly scrutinized. In fact, at last year's Black Hat Briefings in Las Vegas, a German security researcher showed how passports equipped with the radio tags could be cloned. The same researcher said this could also be done with building access cards.

Black Hat is getting a reputation for having talks canceled at the last minute because of legal threats. A presentation on vulnerabilities in Cisco Systems' software at the 2005 event in Las Vegas was pulled because of legal threats from the networking giant. The presenter famously delivered his talk anyway.

"I don't like it when really big companies throw their weight around," Jeff Moss, founder of Black Hat conferences, said on the Tuesday conference call. "This threatens the whole conference business."

"It is deja vu," Moss said, referring to Black Hat having to revise parts of its conference materials because of the last-minute change. "It certainly screwed up our conference scheduling."