As an active member of the information security community, IOActive is committed to protecting organizations and the public against technical threats. For example, IOActive was one of the early private sector companies to offer volunteer security services to the FBI in performing steganographic analysis of data traffic immediately after 9/11. IOActive has also donated well over $250,000 dollars worth of services to non-profit organizations and universities.
As part of ongoing research into the efficacy of various security technologies, IOActive began exploring RFID technology from a security perspective. In particular, we became interested in the application of the technology in proximity badges commonly used to control physical access to buildings and data centers.
Since IOActive’s offices are located in a building that uses this proximity badge technology, and also houses components of the nation’s critical infrastructure, IOActive launched a research and development effort to help us better understand the exposures and vulnerabilities related to this technology.
As IOActive’s researchers explored the security aspects of proximity badge technology, they became interested in validating long-standing theoretical attacks, taking them out of the academic realm, and verifying through actual implementation that such attacks might be practical and easily carried out.
The concepts behind this attack are not new. Indeed, most of our efforts in validating the effectiveness and ease of this attack involved reviewing research already performed by others in this area. In fact, HID Global Corporation, the leading manufacturer of these kinds of systems has published a white paper that describes their next-generation contactless smart card technology, and the advantages of this technology over traditional proximity badges. In describing these advantages, this paper highlights potential vulnerabilities in proximity badge technology.
The HID Global Corporation white paper is two years old, and available at their website.
IOActive used its research to prepare a briefing for security professionals to be presented at the February 28, 2007 BlackHat Convention. IOActive’s intention was to raise awareness among security practitioners regarding the vulnerabilities of this technology, and to highlight the idea that no technology should be the sole mitigating control protecting important organizational assets. IOActive’s intended message was that the use of this technology should be as merely one component in a Defense in Depth strategy. The effective implementation of such a strategy must encompass people, process, and technology. If, due to particular organizational drivers, greater reliance must be placed on the technology, then systems that offer additional security features (such as HID Global Corporation’s iClass products) should be considered.
HID Global Corporation learned of our intended briefing, contacted IOActive, and demanded that IOActive refrain from presenting our findings at the BlackHat Convention, on the basis that “such presentation will subject you to further liability for infringement of HID’s intellectual property.” In HID’s view, our proposed presentation on proximity badge technology potentially infringed their patents (U.S. Pat. Nos. 5,041,826 and 5,166,676).
As a consequence, under advice of counsel, IOActive has withdrawn its presentation at the BlackHat Briefings, in order to address the demands of HID Global Corporation, and to protect IOActive’s researchers from adverse action.
We would like to thank everyone at Black Hat, CMP, the ACLU, and K&L Gates for showing their support in this matter.