Share

The IT security community is buzzing with an RFID security row that broke out on 27 February 2007, one day ahead of the start of the Black Hat DC 2007 conference.

Officials with IOActive were forced to cancel a planned presentation at the government-themed security trade show in which an expert from the company was to have detailed a technique for hacking data transmitted by HID's proximity identification cards – used by millions of people nationwide.

Chris Paget, IOActive's director of research and development, had planned to show off an RFID "cloning" device that could be used to steal access codes from HID-brand proximity cards, store them, then use the stolen codes to fool an HID card reader.

According to show organisers, HID stopped the session by threatening to file a patent infringement suit against IOActive over the use of HID's source code in the demonstration.

Despite the Black Hat lecture's cancellation, US lawmakers say the debate over use of similar RFID security technologies in the government space is far from over.

IOActive claims that its initial experiment in hacking the HID system was partially spawned by the firm's physical proximity to government IT assets protected by the devices. The security service provider maintains that its offices are located in a building that uses HID's cards for physical access that also houses "components of the US’ critical infrastructure."

Legislators target RFID systems

Such concerns have pushed some lawmakers to introduce new bills seeking to limit the use of RFID-based systems in the government sector. Among those backing legislation is California Democrat Senator Joe Simitian, who is currently pushing five related bills in his home state.

One of the laws introduced by Simitian (California SB-31), whose district encompasses much of California's Silicon Valley, directly addresses "skimming," the hacker technique to have been displayed by IOActive through which wireless transmissions from RFID technologies may be captured.

A second bill (California SB-30) calls for a moratorium on the adoption of RFID technology in government-issued IDs, while the others propose controls barring applications for tracking students in the state's school systems.

Simitian submitted the bills after California Governor Arnold Schwarzenegger vetoed a broader piece of legislation proposing limits on the use of RFID in the government in October 2006. The governor cited his belief that the bill could "unduly burden the numerous beneficial new applications of technology" as his main reason for shooting it down.

To highlight the seriousness of the situation to California's senate and state assembly, Simitian conducted a test in 2006 where a security expert was hired to visit the state's capitol building in Sacramento and hack the RFID card system used to gain entry to the building's garage.

"We're at the state capitol building in the post-9/11 environment and we've spent millions to improve security, but in the space of several minutes, someone with a laptop can compromise the badge system," Simitian said. "The main problem is that the issues aren't widely understood. That's why we've come back with five bills – I want to ensure I get to tell this story in every venue that I can; if we can sit down and explain the issue to people, they get it but it's a hard, complex technical issue."

Simitian said that HID was involved in negotiating the terms of the bill vetoed by Governor Schwarzenegger but said that the firm still refused to give the legislation its blessing.

The lawmaker labelled HID's move to stop the IOActive Black Hat briefing as proof of its "embarrassment" over the ease with which its products can be hacked.

As the son of a computer programmer and the recipient of several awards from the IT security industry, including an honour bestowed at the RSA 2007 conference earlier this month, Simitian said he hardly considers himself as conservative when it comes to promoting new technologies. He has a hard time understanding why Schwarzenegger and others have blocked laws that require "practical" security measures for the use of RFID.

"I'm a moderate on this issue, which is what frustrates me with the pushback, but those of us who are advocates for technology also know best that it must be used well and wisely," he said. "We have only ourselves to blame if not – and the notion of embedding government documents with RFID with no protections or to use it in government ID cards, just strikes me as irresponsible."

One of the solutions proposed by HID, whose officials maintain that the company's proximity cards have not been targeted by skimming attacks on a widespread basis, is for concerned customers to upgrade to its more expensive smart card IDs, which use a more advanced form of "active" RFID.

"That's what was so frustrating about governor's message. He said that placing limits on RFID is premature but the technology has already been with us for a decade," Simitian said. "Should we wait until it's deployed to millions of Californians and then worry? The time to identify problems is now before things get out of control. I think the public expects that."

Is RFID a gateway to malware?

Data skimming isn't the only security concern to have been posed regarding RFID systems. In March 2006, Dutch researchers published a research report that claimed RFID chips can be infected with malware and used to spread attacks to the back-end IT systems to which they're connected.

Opponents of further adoption of RFID technologies in the government sector often refer to a now-defunct pilot programme operated by the Department of Homeland Security (DHS) as further evidence that the tools aren't ready for widespread use.

As part of the US Visitor and Immigration Status Indicator Technology programme, DHS used documents bearing RFID technology between 2005 and 2006 to help track the movement of individuals at several major land border crossings.

In a report issued on 31 January 2007, the US Government Accountability Office (GAO) indicated that the RFID portion of the programme had been halted based on concerns about the technologies' usefulness and security ramifications.

Like the HID proximity cards hacked by IOActive and those made by other popular vendors, the RFID technology used in the DHS pilot featured long-range radio frequency technology, which is considered by experts to be the most dangerous – because the devices' signals can be intercepted from as far as 30 feet away.

Jim Harper, director of information policy studies at the Cato Institute, a public policy think-tank based in Washington, helped author a DHS report that reviewed security and privacy issues related to the use of RFID in the programme.

The HID-IOActive imbroglio serves as yet another example of how commonly used RFID technologies aren't ready for application in the government and elsewhere, he said.

"I don't think the government should try to lead the way on RFID; we should let the technologies mature further and iron-out the security risks first," Harper said. "Up to this point, the government has been a leading adopter and all that has done is put US citizens into the role of guinea pig."

On the flip side, RFID proponents maintain that lawmakers must be prudent in drafting any limitations they place on the use of the technology so as to not limit potentially beneficial innovation.

Randy Vanderhoof, executive director of the Smart Card Alliance, a 160-member nonprofit group that promotes the use of RFID in cutting-edge identification systems, said that legislators are correct to demand that security and privacy concerns surrounding use of the tools be addressed but he observed that some of the bills that have been proposed are far too vague and all-inclusive.

"The intention is right in terms of protecting citizens' privacy but legislation that seeks to outlaw technologies without further defining their use is the wrong approach," Vanderhoof said. "One of the things that people in smart card industry have told me is this legislative language is really broad and subject to interpretation and that the technical nuances between various forms of RF-enabled technologies are not taken into consideration."

Despite the bad press being given to RFID by incidents such as the HID-IOActive squabble, the expert believes that common sense will win out and US lawmakers will create regulations that allow for use of more secure applications of the technology in the government setting.

"Our interest is to try to get people to become more specific about their language. When they say it's insecure to use long read-range RFID for an access card, they're probably right," said Vanderhoof. "We would like to see legislators putting meat on to laws that will make it costly for people to try to exploit weaker forms of these technologies to commit fraud. We think it's smarter to use legislation as a deterrent rather than to restrict the use of technologies, many of which have proven very cost effective and productive."