An RFID card vendor has gagged a security researcher to prevent him revealing details of vulnerabilities in RFID proximity cards.

HID threatened legal action against Chris Paget, a security researcher with IOActive. The RFID vendor also threatened action against IOActive if the projected talk, at the Black Hat security conference, went ahead. HID claimed that the presentation violated the company's patent rights.

The company decided to cancel the talk after all-night negotiations with HID collapsed, said Josh Pennell, CEO of IOActive.

IOActive's decision to abort their presentation follows days of negotiations between the two companies, after HID became alarmed about Paget's discussion, "RFID for beginners," which was to address widespread security issues with the implementation of RFID in proximity cards that are sold by HID and other companies.

Paget's RFID cloning device was on display at the recent RSA Security Conference in San Francisco , where he demonstrated how the device could be used to steal access codes from HID brand proximity cards, store them, then use the stolen codes to fool a HID card reader.

His presentation at Black Hat would have included schematics and source code that attendees could use to create their own cloning device, and a discussion of vulnerable implementations of RFID technology in a wide variety of devices,

The incident recalled a 2005 dispute over a presentation at Black Hat in Las Vegas involving Cisco Systems and Michael Lynn, a security researcher who worked for Internet Security Systems at the time.

HID claimed that Paget's talk would infringe upon two patents the company owns, one dating to 1991 and another dating to 1992 . Both cover methods of detecting RFID signals between a transponder embedded in a device and an "interrogator," according to a source familiar with HID's claims.
Pennell and others doubted that such broad patent claims could be used to stifle free speech, but said that the legal pressure mounted by HID, a subsidiary of Swedish firm ASSA ABLOY, was too much for his small, Seattle-based consulting firm to withstand.

"If we say anything, HID will sue. These large companies have lots of resources, so they can find [legal] matter with pretty much anything," Pennell said, admitting disappointment at the failure to reach an agreement with HID.

"It's always been IOActive's intent to help people with security," he said.

Chris Paget said that, unlike Lynn's sophisticated hack of Cisco's IOS operating system, the RFID cloning devices he built were simple devices concocted from around US$20 in off-the-shelf parts purchased on eBay.

"This thing is simpler than a Furbie," he said, referring to the plush electronic play toy of years past. Moreover, the HID patents in question are public documents, containing all the information needed to build the RFID cloner, he said.

"This is not something new that we're doing. HID has known about this for about two years, if not longer," Paget said.

Indeed, HID marketing materials for its Smart Card technology notes that "by using diversified unique keys and industry standard encryption techniques, the risk of compromised data or duplicated (smart) cards is reduced," and that "these security measures are not implemented in proximity cards, giving contactless smart cards a significant security advantage."

While it's possible to make secure RFID devices that can store sensitive information, the HID proximity cards that use it are not secure, and customers who use the cards need to know that, Paget said.

"Our intent was to disseminate information so people could make informed decisions about RFID technology they're deploying. For example, whether to deploy a proximity card with a secondary factor like a biometric or PIN [personal ID number]. But we've been prevented by HID from discussing that, and we believe it's detrimental to the security community," he said.

Nicole Ozer, technology & civil liberties policy director at the ACLU of Northern California, said that the work IOActive was doing was vital and that, while the group supports the enforcement of patent law, "free speech must be protected and not "trampled by the overzealous use of patent law."

Government agencies, including the Government Accountability Office and the Department of Homeland Security, have all raised concerns about RFID security, even as they issue guidelines for using RFID in passports and other documents, she said.

"It's particularly important that the government and the public have all the information on RFID technology. The use of RFID without the proper protections could jeopardise privacy, security, and public safety," she said.

A spokeswoman for HID did not immediately respond to a request for comment.

Original story by Infoworld (US online)