RFID security row hits Black Hat conference

Although RFID is a well established technology unseemly rows over its security are just emerging


The IT security community is buzzing with an RFID security row that broke out on 27 February 2007, one day ahead of the start of the Black Hat DC 2007 conference.

Officials with IOActive were forced to cancel a planned presentation at the government-themed security trade show in which an expert from the company was to have detailed a technique for hacking data transmitted by HID's proximity identification cards – used by millions of people nationwide.

Chris Paget, IOActive's director of research and development, had planned to show off an RFID "cloning" device that could be used to steal access codes from HID-brand proximity cards, store them, then use the stolen codes to fool an HID card reader.

According to show organisers, HID stopped the session by threatening to file a patent infringement suit against IOActive over the use of HID's source code in the demonstration.

Despite the Black Hat lecture's cancellation, US lawmakers say the debate over use of similar RFID security technologies in the government space is far from over.

IOActive claims that its initial experiment in hacking the HID system was partially spawned by the firm's physical proximity to government IT assets protected by the devices. The security service provider maintains that its offices are located in a building that uses HID's cards for physical access that also houses "components of the US’ critical infrastructure."

Legislators target RFID systems

Such concerns have pushed some lawmakers to introduce new bills seeking to limit the use of RFID-based systems in the government sector. Among those backing legislation is California Democrat Senator Joe Simitian, who is currently pushing five related bills in his home state.

One of the laws introduced by Simitian (California SB-31), whose district encompasses much of California's Silicon Valley, directly addresses "skimming," the hacker technique to have been displayed by IOActive through which wireless transmissions from RFID technologies may be captured.

A second bill (California SB-30) calls for a moratorium on the adoption of RFID technology in government-issued IDs, while the others propose controls barring applications for tracking students in the state's school systems.

Simitian submitted the bills after California Governor Arnold Schwarzenegger vetoed a broader piece of legislation proposing limits on the use of RFID in the government in October 2006. The governor cited his belief that the bill could "unduly burden the numerous beneficial new applications of technology" as his main reason for shooting it down.

To highlight the seriousness of the situation to California's senate and state assembly, Simitian conducted a test in 2006 where a security expert was hired to visit the state's capitol building in Sacramento and hack the RFID card system used to gain entry to the building's garage.

"We're at the state capitol building in the post-9/11 environment and we've spent millions to improve security, but in the space of several minutes, someone with a laptop can compromise the badge system," Simitian said. "The main problem is that the issues aren't widely understood. That's why we've come back with five bills – I want to ensure I get to tell this story in every venue that I can; if we can sit down and explain the issue to people, they get it but it's a hard, complex technical issue."

"Recommended For You"

CEBIT: European Commission plans to avoid RFID regulation Obama cybersecurity proposal questioned by lawmakers