Schneier on Security
A blog covering security and security technology.
« Money Laundering Inside the U.S. |
| Boston Police Blow Up Traffic Counter »
February 28, 2007
Cloning RFID Chips Made by HID
Remember the Cisco fiasco from BlackHat 2005? Next in the stupid box is RFID-card manufacturer HID, who has prevented Chris Paget from presenting research on how to clone those cards.
Won't these companies ever learn? HID won't prevent the public from learning about the vulnerability, and they will end up looking like heavy handed goons. And it's not even secret; Paget demonstrated the attack to me and others at the RSA Conference last month.
There's a difference between a security flaw and information about a security flaw; HID needs to fix the first and not worry about the second. Full disclosure benefits us all.
EDITED TO ADD (2/28): The ACLU is presenting instead.
Posted on February 28, 2007 at 12:00 PM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Nicolo Ozer, Technology and Civil Liberties Policy Director for the ACLU of Northern California will be presenting at BlackHat in place of the IOActive researchers.
Her presentation is at 1:45pm, Wednesday.
So much for learning from mistakes of the past.
Hear! Hear! I hope this same mentality doesn't exist in the pharamcuetical industry. Can you imaging doctors hiding an extremely negative side-effect of a certain drug! Hide it from the public and they'll never figure it out (right!).
Using RFID for *anything* security-related is stupid. Even if the chip uses a cryptographically secure challenge-response protocol to prove identity, and if the secret held by the chip cannot be extracted, the system is still vulnerable to the MiG-in-the-middle attack(relay attack).
Steve, you mean like Eli Lilly (http://www.eff.org/news/archives/2007_02.php#005122)?
HID access cards are in widespread use as building access controls. These systems keep access logs of "who" (which card) accessed which door at what time.
Could there be criminal cases where the access logs form an important part of the evidence?
HID may get away with bullying a small company at a conference. I wonder how they'd deal with a nice subpoena/discovery process...
What I don't get is how this is a patent issue. Isn't the point of a patent, that it's clear and in the open - patent, in other words. Patent protection is meant precisely to increase the amount of public knowledg, by giving sturdier legal protection to published inventions, than to trade secrets.
I mean, I can see if they thought the particular device he'd constructed infringed on their patents. But giving a presentation that basically just explains how these devices work, doesn't seem to me like it could be a violation of patent. If the patents themselves are written, as they're supposed to be, so that one skilled in the art could reproduce them, then anyone could go to the patent office and get a copy of any information HID is claiming is protected.
But of course IANAL...
We cherish innovation. People that question the consequences or future uses of it are doing what the rest are too lazy to do. It's amazing, but there are people out there who say we don't want to hear about it. Maybe they can write an RFID for Idiots or Dummies book and sneak it into the public that way.
But if we don't tell anyone that it's a bad idea to place tripping hazards on the stairs and put extension cords under rugs then the bad guys won't know to place tripping hazards on the stairs or put extension cords under rugs!
Anyone with a Mac look carefully at the latest security patches? A whole bunch of them came out of the Month of Apple Bugs. Recall all the fear-mongering about these pernicious hackers having the audacity to openly disclose these bugs. Does anyone believe that Apple would have come out with the patches as quickly without public disclosure?
I remember that when 10.4 came out, they replaced cron with periodic. Periodic was buggy (badly, badly tested), but no bug fix came out for !4 months! We're talking about crucial infrastructure for anyone doing more than using a laptop to read blogs. Yeah, I trust industry to do the right thing without a fire under their ass...
This is silly. You can use patented ideas for search. You can present research based on patented ideas. You can't use patented info for commercial gain (which perhaps, as the presentation could have marketing value for IOactive themselves, might apply tenuously to the presentation). IOactive can't sell such a device (or perhaps even plans for such a device) but unless they had 'em for sale, no big deal.
Of course pulling the preso is good marketing for IOactive, and potentially even for HID!
There already is an 'RFID for Dummies' book, by Patrick J. Sweeney. One of the people I work with has it on his desk. And you can find it on Amazon easily enough.
The ACLU is good, but personally I would have invited someone from the EFF to speak instead. The subject: "The US Patent System, and How It's Completely Borked".
I'm mildly surprised DHS isn't giving IO Active employees a cavity check or two.
An open letter to HID.
Your actions in this case have convinced me never to buy a product from your company. That simple. By harassing IOActive, and suppressing any opportunity for me to examine the actual evidence, you've completely convinced me that there is a security hole the size of a truck in your products. Remember for every person who tells you what I have there are dozens, hundreds maybe thousands who think the same and have placed you on their personal blacklists.
Subscribe to Ians open letter.
Lol, I think it results from "too many chefs in the kitchen".
You'll need a bigger stupid box to keep a collection. Alas, but it is rather common practice outside academia.
For example, I've planned a short presentation on smartcards issues IRL for a rump session at last Eurocrypt but has been told not to. So, as you know, I did not.
Usually such things happens quielty thus nobody notice.
Who needs technology for increased "security"?
We have a surplus of chilling effects provided by black-blazered thugs. They're now providing the real "security" in the country. Don't like it? You're unpatriotic! :mad:
There are plenty of well established public key protocols that are immune to man-in-the-middle attacks and cloning. Why aren't these used? Are the chips used in RFID just not up to it yet or are these companies just stupid/lazy?
Hide the problem or fix the problem... hmmm. History shows that lacking laws to enforce the proper behavior, a company will do what's cheaper. We need strong RFID laws NOW.
@dragonfrog: "What I don't get is how this is a patent issue."
I doubt it is a patent issue. It looks like a typical "If you don't keep quiet I'll hit you with a lawsuit that I wouldn't win but which you can't afford to fight" tactic.
It's just a way of bullying the opposition into (possibly) submission.
This is so old. The only issue here is that the IOActive presentation was going to (illegally) present proprietary information about HID's prox card solution. HID itself has a white paper detailing this exact issue and how they've addressed it in their current cards: http://www.hidcorp.com/pdfs/... so I don't see the big deal.
Either it's propriety trade secret, or it's patented, it can't be both. As HID threatened action on patent law they're making no trade secret claims so I think your err.
The "proprietary information" sounds problematic. RFID is being deployed publicly, so the public isn't served by not knowing. It's like saying trust us, it will be fine. RFID is disposable technology, so if it is broke something will replace it. Hopefully something that is designed in a open and secure environment, like a library. If you can't research it and understand it, it is useless. With this, you can't even discuss it which is dumb.
The further problem is that the only way to present proprietary information illegally is if someone signed an agreement beforehand not to reveal it. I highly doubt that these researchers signed any NDAs, so the likelihood that the information they were presenting was illegal is nil. It's either a trade secret (you run the risk of it becoming public [and thus free] if you don't protect it properly) or a patented idea (nobody can legally use it, but it is public).
With Paget's work and the work from a couple of Cornell students who admit "While we were not able to discern the method to translate ones actual Cornell ID number into an RFID tag, we were still able to wirelessly extract the code and process it for meaningful use." http://instruct1.cit.cornell.edu/courses/ee476/... The RFID industry as a whole MUST review their security practices. Get a paper US passport NOW if you still can.
"There's a difference between a security flaw and information about a security flaw"
When a whole system is composed of a number of subsystems, the one that tends to dominate is the one that is the least stable. It can be mathematically proven. Knowing what is the least stable benefits us all. Fore-warned, fore-armed. We adapt better to future problems if we have information in advance about what lies ahead.
What lies ahead. RFID, chips that are just 0.002 inches by 0.002 inches and look like bits of powder. They can be embedded in paper. New RFID staples are on the way too. Don't tell anybody.
Isn't this kind of behavior illegal? It seems like suppression of free speech. As long as HID can hush the little guy by threatening legal action they will continue to do so. Perhaps we need to fight back!!!
I work for a leading manufacturer of security hardware. It's kind of funny that people are concerned about cloning proximity cards. Proximity cards are just another layer of security that will keep out the average non-engineering types. I sell these cards, and know the faults of them. The only problem is that customers don't give a crap about the faults. The cards are best used in conjunction with a keypad or biometric read (where a PIN or fingerprint is required IN ADDITION TO the prox card). The only problem is that customers do not want "real" security...they want something that looks like security to their bosses, but also something that does not inconvenience anyone. Customers just don't want to be inconvenienced with a two-step process because that actually takes work. What is really stupid is that most controllers (the things that actually listen to the data coming off of the readers) are listening to data from the Wiegand interface...which is like a uni-directional serial port for the Security Industry. Both data lines of this port are held high. If you had access to these wires, you could pull these lines low with a simple circuit that could easily transmit data to the controller, trying out as many card ID's as you like. Some cheap controllers do not even have preventions that stops reading for a time after multiple false card reads occur. Even worse, on cheap controllers, you just have to break the reader off of the wall and connect the power leads together. On cheap controllers, this short will cause the controller to short which could cause a lock to energize or de-energize. So how is that for security?
Jennifer Granick acknowledges that IOActive may be guilty of patent "inducement" (see http://www.wired.com/politics/law/commentary/...
At http://www.patentclaim.com/IP_Resources/... Alexander Poltorak of General Patent Corporation explains
"Indirect infringement takes two forms: contributory infringement or inducement to infringe. Patent law states that "whoever actively induces infringement of a patent shall be liable as an infringer" (35 U.S.C. § 271(b)). In other words, a company does not have to infringe a patent directly in order to be sued for patent infringement."
"Induced infringement is that which enables the direct infringer to practice the patented intention. This type of infringement can take the form of helping the direct infringer to assemble the patented product; providing instructions that detail how to produce the patented invention; preparing instructions for consumer use; or licensing plans or a process which enable the licensee to produce the patented product or process. The test for induced infringement is whether the inducer has demonstrated active aiding and abetting of the direct infringer's infringing activities."
Based on this, it actually seems likely that IOActive would have been guilty of patent inducment had they gone ahead released schematics and source code.
IOActive backed off after consulting their expensive attorneys for a reason. So they decided to take the "safe" route and not release the source code and schematics. By posting HID's letter, IOActive managed to make it look like another case of a big company stiffling a security researcher which is why this became big news. As pointed out by other people, this wasn't the first time that a Prox card was cloned
RadioActive: This might be true IF HID has a valid patent. I am not aware that they do around Prox. There are two parts to prox. 125 khz frequency which is 20 years old and patent is long expired which is why this frequency in building access can be obtained anywhere. And the numbers that get encoded on the chip.
If you are telling me that someone can patent a number, I cite that you have a time stamp in your post or 11:01 pm. Just so happens, I have the number sequence 1101 patented and you have infringed. Ok, I never submitted a ptent on that number, but sam thing...cant patent a number!!!
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.