RFID Hacking Presentation Draws Legal Threats

IOActive, a consulting firm that specializes in information risk management and application security analysis, was slated to give a presentation on RFID hacking at the Black Hat DC Briefings this week; however the presentation has been withdrawn due to controversy.

Joshua J. Pennell, founder and president of IOActive, said that "IOActive's researchers explored the security aspects of proximity badge technology \[based on RFID chips\], they became interested in validating long-standing theoretical attacks, taking them out of the academic realm, and verifying through actual implementation that such attacks might be practical and easily carried out." The researchers based their work on a specifications white paper published by HID Global.

Over the past several years, RFID technology has been shown to be crackable in numerous instances, including in credit cards, secure area access cards, and even in British and Dutch passports.

IOActive said that its presentation was intended "to raise awareness among security practitioners regarding the vulnerabilities of this technology, and to highlight the idea that no technology should be the sole mitigating control protecting important organizational assets."

However, when HID caught wind of the presentation, the company requested that IOActive not give it. HID asserted that the presentation would subject IOActive to "liability for infringement of HID's intellectual property," according to Pennell. On the advice of its legal counsel, IOActive decided to not give the presentation.

Nicole Ozer, technology and civil liberties policy director at the American Civil Liberties Union (ACLU) of Northern California will speak in IOActive's alloted time slot at the Black Hat Briefings and hold a press conference after her presentation.

"The work of computer security professionals to reveal RFID vulnerabilities is integral to ensuring that the privacy, personal security, and public safety of millions of Americans are properly safeguarded.... The serious threats to privacy, personal and public safety, and financial security is why \[the ACLU of Northern California\] has been working to stop the use of insecure RFID tags in identification documents like passports and drivers' licenses, Ozer said.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.