New Controversy over Black Hat Presentation

uniquebydegrees writes "InfoWorld is reporting about a new controversy swirling around a planned presentation at Black Hat Federal in Washington D.C. this week. Security researcher Chris Paget of IOActive will demo an RFID hacking tool that can crack HID brand door access cards. HID Corp., which makes the cards, is miffed and is accusing IOActive of patent infringement over the presentation, recalling the legal wrangling over Michael Lynn's presentation of a Cisco IOS hole at Black Hat in 2005. Black Hat's Jeff Moss says they're standing by their speaker. A news conference is scheduled for tomorrow AM." Update: 02/27 20:10 GMT by Z :InfoWorldMike wrote with a link to story saying that the presentation has been pulled from the slate for Black Hat, as a result of this pressure.

Ooh! Ooh!

[Kingrames (858416)]

Hat Fight!

Security through hat-scurity

[spun (1352)]

Dude, the hat was on the doorknob. You know that means you can't come in. I'm gonna sue you for infringing on my patented hat security system and making me go limp.

What hack?

[Jordan Catalano (915885)]

Aren't HID cards passive? Last I checked, they just reported a serial number.

So what is this "hack"? Recording and replaying the serial is nothing new.

Re:What hack?

[Lumpy (12016)]

also how is it new? I did this 2 years ago with a kit I bought off the net. It will read a prox card and clone it. I scared the crap out of the Director of security into actually enforcing security policy after demonstrating how his "uncrackable" card access security was incredibly easy to get by.

Re:What hack? 100% Right

[mpapet (761907)]

Nearly every HID card out there is passive and will give anyone that passes the right kind of reader in front of it the numbers on the card. I'm not sure why this warrants its own talk or is viewed as a "breakthrough" of any kind.

I'm not smart enough to do it, but a very interesting project for those with the talent would be building a hardware device to spoof cards and brute force access control systems like most parking structures and numerous physical building access control systems. I'm not aware of an

Re:What hack? 100% Right

[gclef (96311)]

The BlackHat speaker isn't presenting it as new...what he *is* doing, though, is giving away schematics to build devices to do the reading and cloning. That's what's getting HID's attention. Lots of people knew you could do this...not so many had a clear schematic & parts list to actually go *do* it.

Re:

[blincoln (592401)]

I may be wrong in assuming this, but it seems likely that the security system would detect a brute force attempt pretty quickly.

Even if it doesn't, halfway competent security staff would notice the attempt right away. One of the guys here showed me how their monitoring system works once - any time someone uses an invalid card (whether it's deactivated or just doesn't have access to that door) or the door is held open too long, or anything else out of the ordinary happens, the security cameras take snapshots

Re:What hack?

[peacefinder (469349)]

Basic HID Prox cards just report a serial number. HID also makes a version that has some cryptographic component, called iClass. When I spec'd a security system last year, I insisted on crypto-enabled cards and readers. (We ended up with HID's iClass.)

If this is just a tool to clone HID Prox cards, then it's nothing new... but it'll make me look good to my boss. (Sweet!)

If it's a tool to spoof iClass readers then it's new, a pretty big deal, and I just wasted a few thousand bucks. (Boo!)
 

Re:

[ivan256 (17499)]

It's not really anymore broken than a regular pin and tumbler key lock. Sure, with this you can copy somebody's key by walking by them, but I bet it would be pretty easy to get an image of a key in somebody's pocket too... Just an IR camera would probably do the trick.

At least with the RFID system, if you try to brute force the door it can disable access and call the cops after a certain number of failures. You can try keys off a ring, or pick at a physical lock all day as long as nobody happens to see you.

Pretty much just like a key.

[Kadin2048 (468275)]

Sure, you could make this a lot more secure, but it's not any worse than regular locks. It's basically the same as regular locks but with easy revocation.

And with a huge false sense of security. Oh, and it costs a lot more.

So, exactly what's the benefit again? Aside from the fact that employees can act all cool, by waving their badges at a sensor instead of sticking a metal piece in the door?

In other words...

[by Anonymous Coward]

"Your door is secure because bad guys would have to infringe on our patents to open it!"

Patent = No Hacking

[Cassini2 (956052)]

They have a patent. Therefore, no one can break their security. It would be illegal.

I'm convinced.

Re:Patent = No Hacking

[physicsboy500 (645835)]

They have a patent. Therefore, no one can break their security. It would be illegal.

It's also ironic that the US Patent & Trademark Office uses HID cards on their doors...

A circular protection that can not be broken

Re:

[LifesABeach (234436)]

Just a thought, would this be an indicator as to who has purchased the card duplicator kit? If the door to the patent office is locked:
1. duplicate a working card.
2. open door to the patent office.
3. profit!

"The end justifies the means." - Sophocles

HID has its head in the sand

[doroshjt (1044472)]

The comment "For someone to be able to surreptitiously read a card, they'd have to get within two or three inches and get into the same plane as the card," by Kathleen Carroll, a spokeswoman for HID's Government Relations. Thats not hard to do at all in the federal world. Ride the metro around 7:30 on a weekday and almost every person on it has a proximity badge around their neck or on the belt along with their ID badge. Its like showing the world your cool that you work at the agriculture department or something. But I've seen everything from State Department badges, treasury, and justice department badges on full display on super crowded metro trains.

Re:

[Kadin2048 (468275)]

I think part of the reason for this (besides the obvious penis-length contest, which is definitely true -- IIRC what's important isn't what's printed on the cards so much as the color, e.g. white for USG employees, pink for contractors, etc.) is because you're told in security training to always keep the cards on your person, and not put them in a laptop bag / briefcase / purse. So people keep them hanging near their keys at home and put them on as they're leaving.

You really wouldn't want to encourage peopl

Re:

[gregmac (629064)]

I think the solution is just to issue everyone a metallic container, which slips over the card and covers the portion of it that contains the antenna. Maybe you could even design one that would reveal (through a clear front) the name and picture of the bearer, but cover the back of the card and keep it from being read.

How about just use magnetic stripe cards? The only way to read it is to physically slide it through a reader.. if you have to 'open' your RFID card to get the reader to recoginize it, then it's just as simple to slide it through a reader on the wall, but probably much cheaper.

Yes, RFID is cool and all, but in a lot of ways people are using it as solution to a problem that doesn't exist.

They're starting to put it in credit cards, which just makes no sense to me at all. Instead of sliding it through a reader

Re:

[still cynical (17020)]

Magnetic stripes are notoriously fragile and unreliable. Get your card too close to a decent magnet (more common than you think), and it's now unreadable. RFID saves a lot of administrative work in replacing cards that have been demagnetized. It would really suck being on-call and not able to get into our data center. My boss does not want to be woken up at 3am on a holiday weekend because the stripe on my card wore out.

It's common now for cell phone cases to have magnetic flaps on them. The only reaso

Re:HID has its head in the sand

[dgatwood (11270)]

You know, in fifteen years of carrying a credit card, I have never had one fail. The high-coercivity mag stripe cards are darn near indestructible. By contrast, the low-coercivity cards that they use at some hotels... I've had them just suddenly fail on the third or fourth use and have to be reprogrammed multiple times in a single night (and about the fifth time I had the same card reprogrammed, they tossed it in a trash can and programmed a fresh one for me, which never failed again).

Put simply, low-coercivity cards suck, but high-coercivity cards are pretty solid. Just don't cut corners on your card programmers and you'll be fine.

DoD policy:

[HBI (604924)]

Paraphrased:

Wear badge between neck and waist level at all times when on premises.

Put card away when off-base.

Never use card as a civilian-side ID.

Spent 5 years living this.

Re:HID has its head in the sand

[Rick17JJ (744063)]

Several companies already make RFID blocking wallets. Presumably something similar could easily be designed for ID badges. I don't know for sure, but the wallets are probably lined in a way to make it act like a Faraday cage [wikipedia.org]. Here are examples of RFID blocking wallets:

• RFID Blocking Wallet [thinkgeek.com]
• Stainless Steel Wallets [moderngent.com]

Security is not a product

[TheWoozle (984500)]

Security is constant vigilence. Certain tools come in handy, but they are not by themselves security. Security is either part of your corporate culture and SOP, or it is not. You can't buy something and tack it on to make your business secure. The sooner PHBs learn this, the sooner we can get past all this nonsense.

Security through Risibility?

[Odiumjunkie (926074)]

From TFA:

> HID has sent a letter to IOActive, a security consulting firm, accusing Chris Paget, IOActive's
> director of research and development, of possible patent infringement over a planned presentation,
> "RFID for beginners," on Wednesday, a move that could lead to legal action should the talk go
> forward, according to Jeff Moss, founder and director of Black Hat.

I, for one, take comfort in the fact that HID Corp can sue anyone that breaks into my workplace after cloning my security card.

Re:

[Jeff DeMaagd (2015)]

Risibility? Wow, that looks like a pretty obscure word. I don't think I've seen it before, I had to look it up.

Re:

[ResidntGeek (772730)]

Haven't you seen The life of Brian? "Do you find something... wisible... when I say the name BIGGUS.......... DICKUS???"

I assume it reports random numbers

[swschrad (312009)]

until you stop the toy when the door lock clicks.

countermeasures: use longer ident numbers when programming the things. put a GOOD camera above the door or use an IR detector and if somebody stays at the door for a minute, the guard should use the intercom and ask them if they want to sleep in another doorway, or if they need to talk to a sheriff's deputy.

moral: relying on any one layer of security is no security if somebody really wants in. multiple levels and somebody awake someplace who cares will fix

Re:

[SuperBanana (662181)]

countermeasures: use longer ident numbers when programming the things.

Or do what the devices already do: have at least a second's worth of delay between them, log invalid access attempts, and have the reader beep each time a card's signal is detected.

Slashdotters tend to be very arrogant about this sort of stuff. Did it occur to you that most of these concerns are obvious, and are both understood by security professionals and have been addressed to some degree?

Example: even if you can clone the card

after the building is taken down, that is

[swschrad (312009)]

which is why my outfit is always cautioning workers to avoid "riders," don't let anybody pretend to be your shadow flitting by as the door closes... unless you see their badge.

"hey, pard, where's your badge today?" costs nothing. adds 60,000 security persons to the force. even if half of them are just going through the motions day in and day out, it can stop a lot of riders.

Responsibility?

[Diluted (178517)]

From the article: "These systems are installed all over the place. It's not just HID, but lots of companies, and there hasn't been a problem. Now we've got a person who's saying let's get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where's the sense of responsibility?" Carroll said.
This blows me away. Rather than taking the responsibility for having a flawed security system, rather than having the responsibility as a company to say "Hey, yeah we know about this and we are going to fix it after 15 years," the company accuses the security researcher of a lack of responsibility for "revealing" how to exploit these systems. I feel like bizarro world has become the real world when I read these kind of comments.

Re:

[xsbellx (94649)]

Yeah, that quote caught my eye along with:

Asked why HID hasn't addressed the issue in more recent proximity card systems, after knowledge of RFID threats became common, Carroll said that doing so would cause "major upheaval" among customers.

.

I can just picture this attitude at work:

ME: Hey Boss, big security whole in our servers. We will have to start patching immediately. Might take several days.

MANAGER: No, it's too much work for your team and it will upset the users. Go home, sleep well and we can look at this later.

Next day...
DIRECTOR: Let me introduce your new manager....

Re:

[Schraegstrichpunkt (931443)]

It's not the same thing. With Internet-connected servers, anyone who has access to the Internet is a potential attacker, knowledge of a vulnerability (i.e. automated exploit software) can spread extremely quickly, and it's easy to hide behind surrogates (i.e. proxies, botnets, etc). With door locks, the pool of potential attackers is a lot smaller, and the personal risk for an attacker is much greater.

Litigation vs. Inteligent Implementation

[Tomis (972713)]

If you base your security model singularly around patents instead of proper implementation, then there is something wrong with your security model.

Unless he's selling this....

[tinkerghost (944862)]

I don't see how HID is planning on getting around the education & research exemption in the patent process.

Keep our secret

[Nom du Keyboard (633989)]

Don't reveal this. Keep our secret. Heaven forbid that someone else find out that a 19 cent Bic pen cap -- err, new hacking tool -- can compromise our fancy electronic Tom Swiftian, door locks. Fsk the attempts of our customers to be well-informed. It could hurt our profits.

(No thoughts about what it might do to their customer's profits after a few break-ins.)

Proximity vs RFID

[cbeaudry (706335)]

The article and this guy on the video seem to be confusing RFID and Proximity (125khz).

Its really odd to hear them mention you'd need to bring the card up to 2-3 inches to the reader, when they keep talking about RFID.
Its clearly proximity.

Also the fool on the video mentions this as if its new, numerous websites mention how to do this and have for years.

Proximity has its draw backs and EVERYONE knows this.

Which is why HID HAS addressed it with new products. HID iClass readers. 13.56mhz, with Encryption between the card and the reader. After 2 roll-overs of public to private encryption keys, you no longer can just read the card with any reader you actually need to know the private key.

So:

RFID not what they are talking about.
RFID /= Proximity
RFID should not be used for access control (unlocking doors from 5 feet a way... seriously...)
Proximity vulnerable (nothing new)
HID iClass (13.56mhz proximity with Encryption) HID has a solution (makes me wonder why they never mention it though...)

Disclaimer: I don't work for HID, but I'm a Sales Engineer for an Access Control company and we use HID readers or our own which are also Proximity.

Re:

[Schraegstrichpunkt (931443)]

After 2 roll-overs of public to private encryption keys

What does that mean? Is there a paper online somewhere that describes the scheme?

Proximity vs RFID vs What?

[BenEnglishAtHome (449670)]

OK, I know nothing about these systems so I'm going to ask a stupid question. The very first time I ever saw an access control that opened a door lock when a card-bearer approached was in the giant Compaq retail/factory warehouse clearance outlet in Houston, more than a decade ago. (Great place. Old stock, reconditioned stuff, and odds 'n ends out the ying-yang, all at firesale prices and the staff actually worked for Compaq, meaning they knew what they were doing.) That system opened the door between t

The demo is cancelled....

[8127972 (73495)]

.... More detail here:

http://news.com.com/Black+Hat+talk+on+RFID+access+ badge+risks+nixed/2100-1029_3-6162547.html?tag=nef d.top [com.com]

Gah

[Phanatic1a (413374)]

"I don't like it when really big companies throw their weight around," Jeff Moss, founder of Black Hat conferences, said on the Tuesday conference call. "This threatens the whole conference business."

What are you thinking, Jeff?

In 2005, you canceled a presentation because you received a legal threat from Cisco. You demonstrated to any company out there, that if they don't want a presentation to happen, all they need to do is send a scary warning on some official letterhead, and Black Hat will cancel the p

Re:

[dean.collins (862044)]

i dont know why these companies incorporate in the first place if they are worried about being sued. you incorporate a company for each event with $1 assets and liquidate after each show. big deal. only way to get presentations pulled then is through injunction before the event. Dean

RFID should just be PART of Security

[Critical Facilities (850111)]

We're able to make copies of keys, yet they're still widely used as "security" measures in offices worldwide. Why is this any different? I've always been taught that a successful Security strategy is comprised of the 3 concepts:

What you have - your ID badge/card
What you know - the PIN associated with that card
Who you are - a fingerprint/retinal scan/etc to be used with that card

The point is, ok, someone figured out how to easily clone RFID enabled "access cards". Is it the manufacturer's fault that many places rely SOLELY on those badges for their perimiter/access control? If your facility is truly "secure", there should be at LEAST the requirement of a PIN typed in along with a card swipe as well as cameras, physical security, and other standard procedures. If your facility's management has opted to rely on the cards as the only means of controlling who enters and when, then blame that same management if a problem happens. The term "security" is very subjective. What might pass for your average office building would never pass at a serious Datacenter or other Critical Facility.

Must be free to highlight problems

[bytesandpieces (1069308)]

The work of computer security professionals to reveal RFID vulnerabilities is integral to ensuring that the privacy, personal security, and public safety of millions of Americans are properly safeguarded.

With the Department of Homeland Security expected to release the Real ID regulations very soon and dictate what type of machine readable technology will be in every drivers' license and whether it will contain RFID chips, and the Department of State starting to roll out RFID-embedded passports, it is partic

How does this infringe?

[theonetruekeebler (60888)]

How can a presentation on a patented technology possibly infringe on the patent? A patent is already published information. Theirs are published here [uspto.gov] and here [uspto.gov]. If you don't want information about your system known to the public, you don't get a patent.

This is some of the most contemptible saber-rattling -- and caving -- I've seen this year.

Re:

[spun (1352)]

I've patented a method for gaining karma by making posts about patenting the patent system. Expect a call from my fully battle-trained law-panthers.

Re:

[idontgno (624372)]

2MPA2C*

*(too much prior art to cite)

Re:

[bagofbeans (567926)]

Make and sell something.

Nothing to stock an individual using a patent to build a one-off.

Re:

[Aim Here (765712)]

Except 35 USC 28 perhaps:

"(a) Except as otherwise provided in this title, whoever without authority makes, uses, offers to sell, or sells any patented invention, within the United States or imports into the United States any patented invention during the term of the patent therefor, infringes the patent." (emphasis mine)

From: here [cornell.edu]

Not that I think HID's whinge has any merit whatsoever. Hell, even the first amendment should protect someone demonstrating a prototype cracking tool for the purposes of showing

Re:

[Overzeetop (214511)]

Making the tool: okay
Using tool: okay
Showing others how to use the tool: still okay
Selling the tool: not okay.

At this point, I'd say he's in the clear unless he's selling the tools or the schematics (though you probably can sell the schematics, since you apparently can sell access to the Patent database.) You actually have to make something and sell it to violate a patent - personal use is just fine.

Re:

[Schraegstrichpunkt (931443)]

Didn't you hear? ImmuneID prevents terrorism and "any possible threat"!

Re:

[Schraegstrichpunkt (931443)]

Typical Americans. You concentrate only on the whitehats and the blackhats, while ignoring the plight of the yellowhats, brownhats and redhats. Shame on you!