New Controversy over Black Hat Presentation 144
uniquebydegrees writes "InfoWorld is reporting about a new controversy swirling around a planned presentation at Black Hat Federal in Washington D.C. this week. Security researcher Chris Paget of IOActive will demo an RFID hacking tool that can crack HID brand door access cards. HID Corp., which makes the cards, is miffed and is accusing IOActive of patent infringement over the presentation, recalling the legal wrangling over Michael Lynn's presentation of a Cisco IOS hole at Black Hat in 2005. Black Hat's Jeff Moss says they're standing by their speaker. A news conference is scheduled for tomorrow AM." Update: 02/27 20:10 GMT by Z :InfoWorldMike wrote with a link to story saying that the presentation has been pulled from the slate for Black Hat, as a result of this pressure.
What hack? (Score:4, Interesting)
So what is this "hack"? Recording and replaying the serial is nothing new.
HID has its head in the sand (Score:5, Interesting)
Re:What hack? (Score:5, Interesting)
Re:What hack? 100% Right (Score:3, Interesting)
I'm not smart enough to do it, but a very interesting project for those with the talent would be building a hardware device to spoof cards and brute force access control systems like most parking structures and numerous physical building access control systems. I'm not aware of any brute force detectors in those access control systems.
This is the tip of the proverbial iceberg for HID's (in)security. Though, most people who bought the systems had more secure options, they chose the least secure. It's hard to blame HID.
What amazes me is someone at HID has to pretend this is some kind of serious compromise. They probably sleep just fine after spending their workday spreading lies too. Sometimes I wish I could do that. I could make a heck of a lot more money lying.
Re:Security through Risibility? (Score:3, Interesting)
Re:HID has its head in the sand (Score:3, Interesting)
You really wouldn't want to encourage people to put them away, because they'd probably put them in purses or briefcases, and lose them, or put them in wallets and get them stolen (or read just as easily), and it would also defeat the physical-security purpose of the cards, which is to act as an ID badge when you're in a secure facility.
I think the solution is just to issue everyone a metallic container, which slips over the card and covers the portion of it that contains the antenna. Maybe you could even design one that would reveal (through a clear front) the name and picture of the bearer, but cover the back of the card and keep it from being read.
Most people keep their access cards in little clear-plastic holders anyway (because the new USG computer systems require you to jack the card into the keyboard in order to log in), so stepping up to some sort of metal one wouldn't be that big a deal, and it would prevent a lot of card-cloning/warscanning attacks.
Re:What hack? (Score:5, Interesting)
If this is just a tool to clone HID Prox cards, then it's nothing new... but it'll make me look good to my boss. (Sweet!)
If it's a tool to spoof iClass readers then it's new, a pretty big deal, and I just wasted a few thousand bucks. (Boo!)
Re:I assume it reports random numbers (Score:3, Interesting)
countermeasures: use longer ident numbers when programming the things.
Or do what the devices already do: have at least a second's worth of delay between them, log invalid access attempts, and have the reader beep each time a card's signal is detected.
Slashdotters tend to be very arrogant about this sort of stuff. Did it occur to you that most of these concerns are obvious, and are both understood by security professionals and have been addressed to some degree?
Example: even if you can clone the card, at most datacenters (for example) you need a keycard AND either a biometric scan or keycode.
Keycards aren't the ultimate security control and never were. Hell, I don't even need a keycard to get to my desk at work; I just walk by with everyone else from the shuttle bus, hop in the elevator at the same time, etc. You don't need to clone cards when you can piggyback off people who have 'em. Of course, I'm recorded on at least 2-3 security cameras entering the building, so if I were not supposed to be there, they'd be able to prove it was me.
Re:Responsibility? (Score:3, Interesting)
Re:HID has its head in the sand (Score:3, Interesting)
Yes, RFID is cool and all, but in a lot of ways people are using it as solution to a problem that doesn't exist.
They're starting to put it in credit cards, which just makes no sense to me at all. Instead of sliding it through a reader, you just 'tap' it on a pad? Ok, what's the difference, besides the fact that you're forcing merchants to buy new readers? I'm sure there's probably banks out there sticking RFID in bank cards, then advertising "hey, you don't need to swipe OR use a PIN anymore!"...
after the building is taken down, that is (Score:3, Interesting)
"hey, pard, where's your badge today?" costs nothing. adds 60,000 security persons to the force. even if half of them are just going through the motions day in and day out, it can stop a lot of riders.
Re:HID has its head in the sand (Score:2, Interesting)
It's common now for cell phone cases to have magnetic flaps on them. The only reason I can keep my work access cards with my phone (harder to forget due to bulk), is they are RFID.
Re:The demo is cancelled.... (Score:2, Interesting)