Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Controversy over Black Hat Presentation

Zonk posted more than 7 years ago | from the black-hat-on-a-white-field dept.

Security 144

uniquebydegrees writes "InfoWorld is reporting about a new controversy swirling around a planned presentation at Black Hat Federal in Washington D.C. this week. Security researcher Chris Paget of IOActive will demo an RFID hacking tool that can crack HID brand door access cards. HID Corp., which makes the cards, is miffed and is accusing IOActive of patent infringement over the presentation, recalling the legal wrangling over Michael Lynn's presentation of a Cisco IOS hole at Black Hat in 2005. Black Hat's Jeff Moss says they're standing by their speaker. A news conference is scheduled for tomorrow AM." Update: 02/27 20:10 GMT by Z :InfoWorldMike wrote with a link to story saying that the presentation has been pulled from the slate for Black Hat, as a result of this pressure.

Sorry! There are no comments related to the filter you selected.

Ooh! Ooh! (4, Funny)

Kingrames (858416) | more than 7 years ago | (#18168414)

Hat Fight!

Re:Ooh! Ooh! (1)

Riddler Sensei (979333) | more than 7 years ago | (#18168486)

Between the Black Hats and the Dunce Hats?

Security through hat-scurity (2, Funny)

spun (1352) | more than 7 years ago | (#18169090)

Dude, the hat was on the doorknob. You know that means you can't come in. I'm gonna sue you for infringing on my patented hat security system and making me go limp.

Moo (1)

Chacham (981) | more than 7 years ago | (#18168470)

Controversy at a conference?

This may generate as much interest as Darwin's debate.

Moo Yourself (0)

Anonymous Coward | more than 7 years ago | (#18168762)

Why don't you ever put in a useful subjuct, mouchebag?

Learn something new every day... (1)

cayenne8 (626475) | more than 7 years ago | (#18170690)

A quote from the article: "I'd posit that perhaps there are more secure technologies out there."

I thought when reading this, that it was some kind of bad typo or misprint, then I looked up to see if posit [reference.com] was really a word.

Turns out it was. Geez...learn something new every day, even on /.

What hack? (3, Interesting)

Jordan Catalano (915885) | more than 7 years ago | (#18168488)

Aren't HID cards passive? Last I checked, they just reported a serial number.

So what is this "hack"? Recording and replaying the serial is nothing new.

Re:What hack? (5, Interesting)

Lumpy (12016) | more than 7 years ago | (#18168802)

also how is it new? I did this 2 years ago with a kit I bought off the net. It will read a prox card and clone it. I scared the crap out of the Director of security into actually enforcing security policy after demonstrating how his "uncrackable" card access security was incredibly easy to get by.

Re:What hack? (0)

Anonymous Coward | more than 7 years ago | (#18169566)

Maybe the hack is that there is some flaw in the reader that when exploited will allow the door to open without the need of a pre-registered serial number. That would be a big deal because then you wouldnt need to copy somebody else's number you could just open the door cold.

Re:What hack? (0)

Anonymous Coward | more than 7 years ago | (#18171010)

Recording and replaying the serial is nothing new.

also how is it new?

In addition, I don't think this is anything new.

Re:What hack? (1)

Zappa (26961) | more than 7 years ago | (#18168894)

Security by obscurity ?
If its really only RFID with a number sent out, then the system is broken by design.
If you check out possibilities, a public key system identifying with the "house PKI" would be about the only way to get along in a somehow safe way.

Re:What hack? (1)

ivan256 (17499) | more than 7 years ago | (#18169392)

It's not really anymore broken than a regular pin and tumbler key lock. Sure, with this you can copy somebody's key by walking by them, but I bet it would be pretty easy to get an image of a key in somebody's pocket too... Just an IR camera would probably do the trick.

At least with the RFID system, if you try to brute force the door it can disable access and call the cops after a certain number of failures. You can try keys off a ring, or pick at a physical lock all day as long as nobody happens to see you.

Sure, you could make this a lot more secure, but it's not any worse than regular locks. It's basically the same as regular locks but with easy revocation.

Re:What hack? (0)

Anonymous Coward | more than 7 years ago | (#18170430)

Another problem is that you don't know who else has made copies of the key. This is a password broadcast in plain text; good security practice does not allow this, or people wouldn't be saying you should use ssh instead of telnet.

Pretty much just like a key. (2, Insightful)

Kadin2048 (468275) | more than 7 years ago | (#18170886)

Sure, you could make this a lot more secure, but it's not any worse than regular locks. It's basically the same as regular locks but with easy revocation.

And with a huge false sense of security. Oh, and it costs a lot more.

So, exactly what's the benefit again? Aside from the fact that employees can act all cool, by waving their badges at a sensor instead of sticking a metal piece in the door?

Re:Pretty much just like a key. (1)

ivan256 (17499) | more than 7 years ago | (#18171150)

Like I said, the benefit is convenience and flexibility. You can have more complex rules than with master and sub-master keys. You don't have as great an expense to change the locks when somebody loses their key, you can have time based rules, etc...

They're not about additional security over traditional keys. They're about convenience. If anybody gets a false sense of security from these devices, it's because they didn't do their homework. The fact of the matter is though, that even with the flaws that are obvious to people with security knowledge, these locks provide the level of security that is generally considered acceptable.

Another thing to consider, since you sound like you're knowledgeable about this type of thing... The security is only as strong as the weakest link. In many environments where this kind of system is installed and the building isn't occupied 24/7, the weakest link keeping intruders out is the 5/8" sheet of drywall attached to flimsy steel studs.

Re:Pretty much just like a key. (1)

flatcat (464267) | more than 7 years ago | (#18171754)


When we had metal keys, there was always some disgruntled soul who would break of a key or jam something into the lock to prevent the rest of us from using our keys. At least that does not happen any more.

Re:What hack? 100% Right (2, Interesting)

mpapet (761907) | more than 7 years ago | (#18168944)

Nearly every HID card out there is passive and will give anyone that passes the right kind of reader in front of it the numbers on the card. I'm not sure why this warrants its own talk or is viewed as a "breakthrough" of any kind.

I'm not smart enough to do it, but a very interesting project for those with the talent would be building a hardware device to spoof cards and brute force access control systems like most parking structures and numerous physical building access control systems. I'm not aware of any brute force detectors in those access control systems.

This is the tip of the proverbial iceberg for HID's (in)security. Though, most people who bought the systems had more secure options, they chose the least secure. It's hard to blame HID.

What amazes me is someone at HID has to pretend this is some kind of serious compromise. They probably sleep just fine after spending their workday spreading lies too. Sometimes I wish I could do that. I could make a heck of a lot more money lying.

Re:What hack? 100% Right (4, Informative)

gclef (96311) | more than 7 years ago | (#18169370)

The BlackHat speaker isn't presenting it as new...what he *is* doing, though, is giving away schematics to build devices to do the reading and cloning. That's what's getting HID's attention. Lots of people knew you could do this...not so many had a clear schematic & parts list to actually go *do* it.

Re:What hack? 100% Right (0)

Anonymous Coward | more than 7 years ago | (#18171166)

...this still makes HID look bad. You can do this with their equipment... they don't care that one of their products is fundamentally flawed, they only care that people (users and crooks alike) buy their equipment and not a knock-off.

Re:What hack? 100% Right (1)

blincoln (592401) | more than 7 years ago | (#18169494)

I may be wrong in assuming this, but it seems likely that the security system would detect a brute force attempt pretty quickly.

Even if it doesn't, halfway competent security staff would notice the attempt right away. One of the guys here showed me how their monitoring system works once - any time someone uses an invalid card (whether it's deactivated or just doesn't have access to that door) or the door is held open too long, or anything else out of the ordinary happens, the security cameras take snapshots of the whole area around the door. The events are very visibly highlighted in the monitoring console as well, if no one happens to be paying attention at the time.

Yes, you could also disable the cameras in some way, but my point is that there's no really covert way to do it.

Re:What hack? 100% Right (1)

trianglman (1024223) | more than 7 years ago | (#18171008)

Cameras are only good if you are in range of the cameras. Anyone with an antenna with a decent gain can break at least a front door (I don't know if they give off any sort of confirmation other than an LED) reader without much personal risk.

Re:What hack? (4, Interesting)

peacefinder (469349) | more than 7 years ago | (#18169326)

Basic HID Prox cards just report a serial number. HID also makes a version that has some cryptographic component, called iClass. When I spec'd a security system last year, I insisted on crypto-enabled cards and readers. (We ended up with HID's iClass.)

If this is just a tool to clone HID Prox cards, then it's nothing new... but it'll make me look good to my boss. (Sweet!)

If it's a tool to spoof iClass readers then it's new, a pretty big deal, and I just wasted a few thousand bucks. (Boo!)
 

Re:What hack? (1)

RSquaredW (969317) | more than 7 years ago | (#18170210)

A reasonable way to use a serial prox card would be to combine it with a PIN - even a short one - to prevent someone who has a cloned card from getting in without social engineering.

Something you know
Something you have
Something you are

In other words... (5, Informative)

Anonymous Coward | more than 7 years ago | (#18168508)

"Your door is secure because bad guys would have to infringe on our patents to open it!"

Patent = No Hacking (4, Funny)

Cassini2 (956052) | more than 7 years ago | (#18168510)

They have a patent. Therefore, no one can break their security. It would be illegal.

I'm convinced.

Re:Patent = No Hacking (4, Funny)

physicsboy500 (645835) | more than 7 years ago | (#18168724)

They have a patent. Therefore, no one can break their security. It would be illegal.

It's also ironic that the US Patent & Trademark Office uses HID cards on their doors...

A circular protection that can not be broken

Re:Patent = No Hacking (1)

LifesABeach (234436) | more than 7 years ago | (#18169646)

Just a thought, would this be an indicator as to who has purchased the card duplicator kit? If the door to the patent office is locked:
1. duplicate a working card.
2. open door to the patent office.
3. profit!

"The end justifies the means." - Sophocles

Grammar Police (0)

Anonymous Coward | more than 7 years ago | (#18170266)

That is not irony.

Re:Patent = No Hacking (1)

Ceriel Nosforit (682174) | more than 7 years ago | (#18172140)

A circular protection that can not be broken


I think that qualifies as "broken by design".

Can't break what's already broken though...

So if it ain't broke, don't- Uh, gimme a moment here... I think- Oh, oww! My head...

Security through obscurity (0)

Anonymous Coward | more than 7 years ago | (#18169830)

This line of thinking truly baffles me...

TFA: "HID is [...] concerned that Paget's demonstration will popularize the vulnerabilities in its proximity cards and endanger its many customers."
Moss: "They've known about this for years and years."
Carroll: "Some of these cards have been around for 15 years and were developed when there was no awareness of the problem."
TFA: "Asked why HID hasn't addressed the issue in more recent proximity card systems, after knowledge of RFID threats became common, Carroll said that doing so would cause 'major upheaval' among customers."

Essentially, they are saying that if the companies that use the cards knows about any flaws, they will become less secure-- because the "bad guys" won't know about the flaws beforehand. Ummmm, no. Obscurity does not work and can not work for security. Security is a moving target-- good security require constant updating and vigilance, because old security will always be broken, even if "obscure". Because "bad guys" will usually break a security device long before a customer of the device will (assuming the customer _can_ or even _tries_ to break the security device), the sellers of these devices must: (1) constantly create replacements, better devices, better methods; (2) inform their customers of known flaws so that they have a chance to be informed before or at the same time as the "bad guys" and do something about it.

I don't understand HID's attitude or any security-centric company's attitude. Here's a ludicrous example. A man has a neighbor who lives along. One day the man notices as the neighbor leaves that he didn't lock his door, so the man calls out to him, "Hey, you forgot to lock your door!" Well, the neighbor becomes absolutely furious. "How dare you," he fumes. "I will sue you out of existence! I will have the police lock you up for good!" The man, taken aback says, "I don't understand. I just wanted to tell you about your door. I don't want your house to be burglarized. I'm trying to help." Huffing and puffing, the neighbor drying retorts, "Didn't you know? I never lock my door. I've never be robbed. However, now that you've yelled it out loud, all the criminals in our neighborhood know. They now know they _can_ rob me. You've compromised the security of my house!" This is how I see these kind of companies currently. The neighbor in this story assumes that no one would ever try opening the door if its closed until someone says it out loud, which is, IMHO, a very poor excuse. Also, why not try something better? Why not lock the door thusly improving the security of the house? Because then the neighbor's brother in the next town will then be upset that criminals now know about this door opening tactic, and his house's security will be compromised for he never locked his door either? *Sigh*

While I'm on a rant. What's the deal with patent infringement charge? As I understand it, a patent is a process that is filed on PUBLIC record and then granted temporary exclusive rights on sales. So, anyone may read it. Anyone may build what it describes. But no one may sell what they make. Sooooo, what is this presenter "selling" that infringes upon HID's patent. Isn't Paget simply stating public information? Even if he mentions things IN the patent, it is _still_ PUBLIC INFORMATION. Considering that HID doesn't want to elaborate on the infringement accusations, I think it's an empty threat. (What scares me is that due to the current state of the legal system, an empty threat can sometimes be as damaging as a real threat in the long run.)

Peace out.
--Dave Romig, Jr.

Re:Patent = No Hacking (1)

mandelbr0t (1015855) | more than 7 years ago | (#18172116)

That's what corporate America believes. That the legal system is better protection than a firewall or proper security measures. There's only one problem with this belief: The breach happens before the defense kicks in. Where the cost of such a breach is shareholder confidence (isn't happening yet, too many bullshitters spinning too many lies), national security (hey, NSA and CIA actually *do* have security), or invasion of privacy (oh, that's why it doesn't matter, you just have to issue a hollow apology after the fact), legal protection simply isn't enough. Anyone who tells you otherwise has far too much faith in the ability of the Law to protect.

HID has its head in the sand (5, Interesting)

doroshjt (1044472) | more than 7 years ago | (#18168556)

The comment "For someone to be able to surreptitiously read a card, they'd have to get within two or three inches and get into the same plane as the card," by Kathleen Carroll, a spokeswoman for HID's Government Relations. Thats not hard to do at all in the federal world. Ride the metro around 7:30 on a weekday and almost every person on it has a proximity badge around their neck or on the belt along with their ID badge. Its like showing the world your cool that you work at the agriculture department or something. But I've seen everything from State Department badges, treasury, and justice department badges on full display on super crowded metro trains.

Re:HID has its head in the sand (0)

Anonymous Coward | more than 7 years ago | (#18169036)

..."justice department badges"...

That would be me. It's really just a kinkos card, but I photocopied an official-looking badge on to it because it impresses people.

Re:HID has its head in the sand (0)

Anonymous Coward | more than 7 years ago | (#18170426)

You must get all the chicks so hot...

Re:HID has its head in the sand (2, Interesting)

Kadin2048 (468275) | more than 7 years ago | (#18169242)

I think part of the reason for this (besides the obvious penis-length contest, which is definitely true -- IIRC what's important isn't what's printed on the cards so much as the color, e.g. white for USG employees, pink for contractors, etc.) is because you're told in security training to always keep the cards on your person, and not put them in a laptop bag / briefcase / purse. So people keep them hanging near their keys at home and put them on as they're leaving.

You really wouldn't want to encourage people to put them away, because they'd probably put them in purses or briefcases, and lose them, or put them in wallets and get them stolen (or read just as easily), and it would also defeat the physical-security purpose of the cards, which is to act as an ID badge when you're in a secure facility.

I think the solution is just to issue everyone a metallic container, which slips over the card and covers the portion of it that contains the antenna. Maybe you could even design one that would reveal (through a clear front) the name and picture of the bearer, but cover the back of the card and keep it from being read.

Most people keep their access cards in little clear-plastic holders anyway (because the new USG computer systems require you to jack the card into the keyboard in order to log in), so stepping up to some sort of metal one wouldn't be that big a deal, and it would prevent a lot of card-cloning/warscanning attacks.

Re:HID has its head in the sand (2, Interesting)

gregmac (629064) | more than 7 years ago | (#18169602)

I think the solution is just to issue everyone a metallic container, which slips over the card and covers the portion of it that contains the antenna. Maybe you could even design one that would reveal (through a clear front) the name and picture of the bearer, but cover the back of the card and keep it from being read.
How about just use magnetic stripe cards? The only way to read it is to physically slide it through a reader.. if you have to 'open' your RFID card to get the reader to recoginize it, then it's just as simple to slide it through a reader on the wall, but probably much cheaper.

Yes, RFID is cool and all, but in a lot of ways people are using it as solution to a problem that doesn't exist.

They're starting to put it in credit cards, which just makes no sense to me at all. Instead of sliding it through a reader, you just 'tap' it on a pad? Ok, what's the difference, besides the fact that you're forcing merchants to buy new readers? I'm sure there's probably banks out there sticking RFID in bank cards, then advertising "hey, you don't need to swipe OR use a PIN anymore!"...

Re:HID has its head in the sand (1, Interesting)

still cynical (17020) | more than 7 years ago | (#18169784)

Magnetic stripes are notoriously fragile and unreliable. Get your card too close to a decent magnet (more common than you think), and it's now unreadable. RFID saves a lot of administrative work in replacing cards that have been demagnetized. It would really suck being on-call and not able to get into our data center. My boss does not want to be woken up at 3am on a holiday weekend because the stripe on my card wore out.

It's common now for cell phone cases to have magnetic flaps on them. The only reason I can keep my work access cards with my phone (harder to forget due to bulk), is they are RFID.

Re:HID has its head in the sand (4, Insightful)

dgatwood (11270) | more than 7 years ago | (#18170418)

You know, in fifteen years of carrying a credit card, I have never had one fail. The high-coercivity mag stripe cards are darn near indestructible. By contrast, the low-coercivity cards that they use at some hotels... I've had them just suddenly fail on the third or fourth use and have to be reprogrammed multiple times in a single night (and about the fifth time I had the same card reprogrammed, they tossed it in a trash can and programmed a fresh one for me, which never failed again).

Put simply, low-coercivity cards suck, but high-coercivity cards are pretty solid. Just don't cut corners on your card programmers and you'll be fine.

Re:HID has its head in the sand (1)

Kadin2048 (468275) | more than 7 years ago | (#18171334)

Some places do. My former employer, which shall remain nameless, used swipe cards for access. There was talk of switching to RFID cards, but it was just about the time that the first vulnerability reports came out (little more than a year ago), and they apparently had someone who listened and decided that the system worked well enough as it was currently, and better not to mess with it. Either that, or the budget money evaporated. Choose whichever explanation you prefer.

But I think they're still using swipe cards, combined with actual human security guards, and a lot of cameras.

DoD policy: (2, Insightful)

HBI (604924) | more than 7 years ago | (#18171726)

Paraphrased:

Wear badge between neck and waist level at all times when on premises.

Put card away when off-base.

Never use card as a civilian-side ID.

Spent 5 years living this.

Security is not a product (3, Insightful)

TheWoozle (984500) | more than 7 years ago | (#18168604)

Security is constant vigilence. Certain tools come in handy, but they are not by themselves security. Security is either part of your corporate culture and SOP, or it is not. You can't buy something and tack it on to make your business secure. The sooner PHBs learn this, the sooner we can get past all this nonsense.

Security through Risibility? (5, Funny)

Odiumjunkie (926074) | more than 7 years ago | (#18168626)

From TFA:

> HID has sent a letter to IOActive, a security consulting firm, accusing Chris Paget, IOActive's
> director of research and development, of possible patent infringement over a planned presentation,
> "RFID for beginners," on Wednesday, a move that could lead to legal action should the talk go
> forward, according to Jeff Moss, founder and director of Black Hat.

I, for one, take comfort in the fact that HID Corp can sue anyone that breaks into my workplace after cloning my security card.

Re:Security through Risibility? (2, Interesting)

Jeff DeMaagd (2015) | more than 7 years ago | (#18168972)

Risibility? Wow, that looks like a pretty obscure word. I don't think I've seen it before, I had to look it up.

Re:Security through Risibility? (1)

ResidntGeek (772730) | more than 7 years ago | (#18170126)

Haven't you seen The life of Brian? "Do you find something... wisible... when I say the name BIGGUS.......... DICKUS???"

I assume it reports random numbers (2, Insightful)

swschrad (312009) | more than 7 years ago | (#18168636)

until you stop the toy when the door lock clicks.

countermeasures: use longer ident numbers when programming the things. put a GOOD camera above the door or use an IR detector and if somebody stays at the door for a minute, the guard should use the intercom and ask them if they want to sleep in another doorway, or if they need to talk to a sheriff's deputy.

moral: relying on any one layer of security is no security if somebody really wants in. multiple levels and somebody awake someplace who cares will fix every physical penetration attempt except wackos with bulldozers.

Re:I assume it reports random numbers (1)

cbeaudry (706335) | more than 7 years ago | (#18169334)

Actually, it captures the Card number from someones card if you bring it within a few inches of that card.
Retains the number, and spits it back out.

Reporting random numbers usually wouldn't work, as many access control systems will disable the reader after a pre-configured number of invalid attempts.

As well, if this system is monitored, invalid card reads would litter the screen of an operator or guard station.

Your other points about adding more layers of security are all dead on though.

Re:I assume it reports random numbers (2, Interesting)

SuperBanana (662181) | more than 7 years ago | (#18169440)

countermeasures: use longer ident numbers when programming the things.

Or do what the devices already do: have at least a second's worth of delay between them, log invalid access attempts, and have the reader beep each time a card's signal is detected.

Slashdotters tend to be very arrogant about this sort of stuff. Did it occur to you that most of these concerns are obvious, and are both understood by security professionals and have been addressed to some degree?

Example: even if you can clone the card, at most datacenters (for example) you need a keycard AND either a biometric scan or keycode.

Keycards aren't the ultimate security control and never were. Hell, I don't even need a keycard to get to my desk at work; I just walk by with everyone else from the shuttle bus, hop in the elevator at the same time, etc. You don't need to clone cards when you can piggyback off people who have 'em. Of course, I'm recorded on at least 2-3 security cameras entering the building, so if I were not supposed to be there, they'd be able to prove it was me.

after the building is taken down, that is (2, Interesting)

swschrad (312009) | more than 7 years ago | (#18169756)

which is why my outfit is always cautioning workers to avoid "riders," don't let anybody pretend to be your shadow flitting by as the door closes... unless you see their badge.

"hey, pard, where's your badge today?" costs nothing. adds 60,000 security persons to the force. even if half of them are just going through the motions day in and day out, it can stop a lot of riders.

Responsibility? (5, Insightful)

Diluted (178517) | more than 7 years ago | (#18168646)

From the article: "These systems are installed all over the place. It's not just HID, but lots of companies, and there hasn't been a problem. Now we've got a person who's saying let's get publicity for our company and show everyone how to do it, and it puts everyone at risk. Where's the sense of responsibility?" Carroll said.
This blows me away. Rather than taking the responsibility for having a flawed security system, rather than having the responsibility as a company to say "Hey, yeah we know about this and we are going to fix it after 15 years," the company accuses the security researcher of a lack of responsibility for "revealing" how to exploit these systems. I feel like bizarro world has become the real world when I read these kind of comments.

Re:Responsibility? (1)

xsbellx (94649) | more than 7 years ago | (#18169086)

Yeah, that quote caught my eye along with:

Asked why HID hasn't addressed the issue in more recent proximity card systems, after knowledge of RFID threats became common, Carroll said that doing so would cause "major upheaval" among customers.
.

I can just picture this attitude at work:

ME: Hey Boss, big security whole in our servers. We will have to start patching immediately. Might take several days.

MANAGER: No, it's too much work for your team and it will upset the users. Go home, sleep well and we can look at this later.

Next day...
DIRECTOR: Let me introduce your new manager....

Re:Responsibility? (2, Interesting)

Schraegstrichpunkt (931443) | more than 7 years ago | (#18169594)

It's not the same thing. With Internet-connected servers, anyone who has access to the Internet is a potential attacker, knowledge of a vulnerability (i.e. automated exploit software) can spread extremely quickly, and it's easy to hide behind surrogates (i.e. proxies, botnets, etc). With door locks, the pool of potential attackers is a lot smaller, and the personal risk for an attacker is much greater.

Even Better -- Re:Responsibility? (1)

terrahertz (911030) | more than 7 years ago | (#18169340)

"Asked why HID hasn't addressed the issue in more recent proximity card systems, after knowledge of RFID threats became common, Carroll said that doing so would cause "major upheaval" among customers."

Apparently the "major upheaval" necessary to bring their product's security up to snuff is less desirable than the "major upheaval" that would occur if the currently poor security were exploited in a headline-grabbing, stock-price-swatting incident. Perhaps their risk-analysis number-crunchings have been tainted by oh...I dunno, smoking crack?

I was going to comment on the same excerpt you chose -- because I felt the same sense of "umm, is it backwards day today?" Luckily for me, there was more than enough "backwards speak" to quote! :/

Re:Responsibility? (0)

Anonymous Coward | more than 7 years ago | (#18169522)

Not Bizarro world, but Oceania. [wikipedia.org]

War Is Peace
Freedom Is Slavery
Ignorance Is Strength

Patent Infringment? (1, Redundant)

ryanisflyboy (202507) | more than 7 years ago | (#18168654)

HID has a patent on breaking and entering? The USPTO has reached a new low. I think I'm going to get a patent on marijuana smoking. Or better, a patent on patenting patents! I'll control the entire patent industry! MWWWWHAHAHA!

Re:Patent Infringment? (1)

spun (1352) | more than 7 years ago | (#18169130)

I've patented a method for gaining karma by making posts about patenting the patent system. Expect a call from my fully battle-trained law-panthers.

Re:Patent Infringment? (1)

idontgno (624372) | more than 7 years ago | (#18169240)

2MPA2C*

*(too much prior art to cite)

In other news... (0)

Anonymous Coward | more than 7 years ago | (#18168860)

Schlage is suing the makers of lockpick tools for patent infringement!

New RFID to Secure HID, Passports, ID and CreditC (1)

ktija (785397) | more than 7 years ago | (#18168874)

http://www.immuneid.com/ [immuneid.com] Immune ID works in a very simple, safe and practical way. With Immune ID on documents, credit cards and credentials, the identification device on them will always remain deactivated unless the user activates them through physical touch. Without human contact, any reading and/or writing attempt will fail. Thus, your information is protected from harmful use. The user will also have a visual and/or audio confirmation included in the device*. Immune ID is an innovative protection system for all electronic documents using technologies such as RFID, Rubee, Smart Dots, EAS, etc.: passports, credit cards, driving licenses, access cards, etc. Immune ID eliminates the risk of having all your important and personal information broadcasted on public air, at the reach of anyone who may want to duplicate, steal, modify or use it in dangerous and harmful ways. Immune ID is the best solution for those who want to ensure themselves a safer and protected life.

Re:New RFID to Secure HID, Passports, ID and Credi (1)

Anonymous Coward | more than 7 years ago | (#18169038)

It may prevent the "stealing credentials on the metro" scenario, but does jack all against passive sniffing of a legitimate use. If it's being broadcast via any kind of radio carrier wave, it can be sniffed. The only way to have secure access cards is via physical contact (swipe, smart card, etc).

Oh, and BTW, ImmuneID's website sucks. It's pure flash and resizes my browser. On that basis alone I would not buy your product nor recommend it to any of my customers.

Re:New RFID to Secure HID, Passports, ID and Credi (1)

Schraegstrichpunkt (931443) | more than 7 years ago | (#18169680)

Didn't you hear? ImmuneID prevents terrorism and "any possible threat"!

Re:New RFID to Secure HID, Passports, ID and Credi (1)

GeePrime (831254) | more than 7 years ago | (#18169708)

You hate when websites resize your browser too? Who doesn't? I'm not sure how to accomplish this through any other browser, but through Firefox, you can go into about:config, type dom.disable_window in the filter, and set all of those to true. doesn't change the fact that the site is evil for trying to resize my window, and in some cases, remove my address bar etc...

Re:New RFID to Secure HID, Passports, ID and Credi (1)

redline452 (963868) | more than 7 years ago | (#18171306)

They don't actually say much about how it works, and their assertion that passports "broadcast" your data and (I love this part) position such that it's readable by satellites is beyond ludicrous. Scaremongering without content. I too dislike their flash-only site, and they can't spell either (check the pdf).

Re:New RFID to Secure HID, Passports, ID and Credi (1)

Kadin2048 (468275) | more than 7 years ago | (#18171282)

What does ImmuneID get you, that taking a conventional RFID card and putting it into a metallic badge holder wouldn't?

It seems like it's major feature is a 'safety' that keeps it from broadcasting or receiving, unless activated by skin contact. In other words, an on/off switch. Not a bad idea, but you could just as easily take a regular passive card, and put it into a metal case, and then take it out when it needs to be used.

Many people keep their cards in carrier-cases anyway (because they need to be removed to access magnetic strips that are also on them, or SmartCard contact pads, or because they want to put the card on a keychain or neck strap and can't punch holes in it), so all that needs to happen is these cases need to be made RF-tight.

Some other RFID devices -- like the EZ-Pass transponders used on highways -- come to the customer inside conductive, anti-static plastic bags. I'm not sure if they're effective enough to prevent 'subway cloning,' but it seems like a suitable conductive plastic could be developed pretty quickly if they're not.

Best Part (1)

FirmWarez (645119) | more than 7 years ago | (#18168876)

"Black Hat's Jeff Moss says they're standing by their speaker."

You go DT, I mean, um, Jeff.

How do you violate a patent by speaking? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18168920)

I thought you had to actually make something in order to infringe a patent. And patents, by definition, are public knowledge. If I stand up and read your patent to a crowd, how can you sue me?

Re:How do you violate a patent by speaking? (1)

bagofbeans (567926) | more than 7 years ago | (#18169274)

Make and sell something.

Nothing to stock an individual using a patent to build a one-off.

Re:How do you violate a patent by speaking? (1)

Aim Here (765712) | more than 7 years ago | (#18169924)

Except 35 USC 28 perhaps:

"(a) Except as otherwise provided in this title, whoever without authority makes, uses, offers to sell, or sells any patented invention, within the United States or imports into the United States any patented invention during the term of the patent therefor, infringes the patent." (emphasis mine)

From: here [cornell.edu]

Not that I think HID's whinge has any merit whatsoever. Hell, even the first amendment should protect someone demonstrating a prototype cracking tool for the purposes of showing to the general public that it's possible, and there may be specific specific exceptions in patent law too, I've not checked thoroughly.

Re:How do you violate a patent by speaking? (1)

PatPending (953482) | more than 7 years ago | (#18169320)

...will demo an RFID hacking tool...
Presumably demonstrating (actually using) the tool would utilize what HID Corp. has patented. And you can't do that without some prearranged agreement with the IP owner. BTW here is a list of HID Corp. patents: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PT O2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.h tm&r=0&f=S&l=50&d=PTXT&RS=AN%2Fhid&Refine=Refine+S earch&Refine=Refine+Search&Query=an%2F(hid+AND+cor poration) [uspto.gov]

Re:How do you violate a patent by speaking? (1)

Overzeetop (214511) | more than 7 years ago | (#18170514)

Making the tool: okay
Using tool: okay
Showing others how to use the tool: still okay
Selling the tool: not okay.

At this point, I'd say he's in the clear unless he's selling the tools or the schematics (though you probably can sell the schematics, since you apparently can sell access to the Patent database.) You actually have to make something and sell it to violate a patent - personal use is just fine.

Re:How do you violate a patent by speaking? (1)

cafucu (918264) | more than 7 years ago | (#18169330)

He did create a program. The infringement must have been the way he implemented his hack.

Re:How do you violate a patent by speaking? (0)

Anonymous Coward | more than 7 years ago | (#18169772)

You are correct.

You cannot infringe a valid patent unless you practice/make/sell what is enabled in the patent specification as defined by the claims.

What is enabled in the specification is public.

You can describe anything in the specification publicly, or even quote it word for word.

You cannot entice others to infringe or you would be guilty of inducement.

You can describe whats in the specification and give the disclaimer that practicing what is being described might constitute infringement and you are legal (avoid inducement) as far as the law applies.

This is one of the benefits of the patent system. You get to see new technology and build upon it at a faster rate. You are free to discuss it.

That is one of the reasons for a patent system->free discourse.

The infringement accusation is therefore comical.

Re:How do you violate a patent by speaking? (0)

Anonymous Coward | more than 7 years ago | (#18171962)

If I stand up and read your patent to a crowd, how can you sue me?

Duh. You simply copyright your patent.

A true blackhat wouldn't (1)

CjDMaX (975318) | more than 7 years ago | (#18168950)

A true blackhat wouldn't exactly demonstrate or publicise the flaws of existing RFID, now would he? He would be out there evangelizing the faulty products so as to enlarge his playing field :) White-Whitehat, Black-Whitehat, White-Blackhat, Black-Blackhat... it used to be simple...

Re:A true blackhat wouldn't (1)

Schraegstrichpunkt (931443) | more than 7 years ago | (#18169728)

Typical Americans. You concentrate only on the whitehats and the blackhats, while ignoring the plight of the yellowhats, brownhats and redhats. Shame on you!

Litigation vs. Inteligent Implementation (5, Insightful)

Tomis (972713) | more than 7 years ago | (#18169152)

If you base your security model singularly around patents instead of proper implementation, then there is something wrong with your security model.

Unless he's selling this.... (1)

tinkerghost (944862) | more than 7 years ago | (#18169258)

I don't see how HID is planning on getting around the education & research exemption in the patent process.

Mod parent up (0)

Anonymous Coward | more than 7 years ago | (#18169384)

mod that up, Informative

Keep our secret (1)

Nom du Keyboard (633989) | more than 7 years ago | (#18169286)

Don't reveal this. Keep our secret. Heaven forbid that someone else find out that a 19 cent Bic pen cap -- err, new hacking tool -- can compromise our fancy electronic Tom Swiftian, door locks. Fsk the attempts of our customers to be well-informed. It could hurt our profits.

(No thoughts about what it might do to their customer's profits after a few break-ins.)

Proximity vs RFID (5, Informative)

cbeaudry (706335) | more than 7 years ago | (#18169304)

The article and this guy on the video seem to be confusing RFID and Proximity (125khz).

Its really odd to hear them mention you'd need to bring the card up to 2-3 inches to the reader, when they keep talking about RFID.
Its clearly proximity.

Also the fool on the video mentions this as if its new, numerous websites mention how to do this and have for years.

Proximity has its draw backs and EVERYONE knows this.

Which is why HID HAS addressed it with new products. HID iClass readers. 13.56mhz, with Encryption between the card and the reader. After 2 roll-overs of public to private encryption keys, you no longer can just read the card with any reader you actually need to know the private key.

So:

RFID not what they are talking about.
RFID /= Proximity
RFID should not be used for access control (unlocking doors from 5 feet a way... seriously...)
Proximity vulnerable (nothing new)
HID iClass (13.56mhz proximity with Encryption) HID has a solution (makes me wonder why they never mention it though...)

Disclaimer: I don't work for HID, but I'm a Sales Engineer for an Access Control company and we use HID readers or our own which are also Proximity.

Re:Proximity vs RFID (1)

Schraegstrichpunkt (931443) | more than 7 years ago | (#18169774)

After 2 roll-overs of public to private encryption keys

What does that mean? Is there a paper online somewhere that describes the scheme?

Re:Proximity vs RFID (2, Informative)

cbeaudry (706335) | more than 7 years ago | (#18171820)

Maybe my (french canadian) english didint describe well what I meant.

Basicaly, using the iClass readers, there is a basic encryption key between the card and the reader.
Using a special card, a reader can be programmed with a NEW key.
The reader now accepts the old (public key) and new (Private key).

When an old card is presented to such a reader, the cards key changes to the private key after negotiation.
After a while, you reprogram the readers to a SECOND private key.

Now that reader ONLY accepts Private key 1 and Private key 2, no longer accepting cards from a public key,
effectively locking out ALL cards except those with your own private key.

Basic Datasheet here :
http://hidcorp.com/pdfs/products/irg_us.pdf [hidcorp.com]

List of all iClass docs here:
http://hidcorp.com/page.php?page_id=27 [hidcorp.com]

Re:Proximity vs RFID (0)

Anonymous Coward | more than 7 years ago | (#18169906)

There are still vulnerabilities, even with a public / private key based session key negotiation - it's being broadcast via radio. I can capture that traffic and brute force the private keys. The only way to have a secure access card is to have one that does not broadcast, but requires physical contact between reader and card.

Re:Proximity vs RFID (1)

cbeaudry (706335) | more than 7 years ago | (#18172082)

The thing is, there has to be a balance between security and whats practical. Contactless security systems, cost next to nothing in maintenance. Magstripes, require a swipe, has a moving reader head, which needs cleaning, and breaks down. Barcodes... well those are useless, one photocopy and you have another card. There are Wiegand insertion, but they still require a swipe or inserting the card into a reader, and where there is contact there is WEAR AND TEAR. About brute forcing the encryption, you would need to have direct access to the reader or card for a long period of time to be able to brute force the 64bit key. 64bit, doesn't seem like much in the IT world, but seriously, you'd have to be pretty lucky to brute force a 64bit key and not get noticed standing there in front of a door for what?... 2 years ? :)

Re:Proximity vs RFID (0)

Anonymous Coward | more than 7 years ago | (#18170404)

You sir are quite obviously a sales person. You seem to confuse terms or at least have been taught very poorly as to what your products are called. RFID (ignoring active) tags are all proximity devices. The HF tags operating at (coincidentally enough) 13 mhz, are not going to have a 5 foot read range with a reader the size of the HID readers. HF rfid tags are going to have a read range measured in inches unless your reader is the size of the door. You should go have your actual engineers explain the difference to you as its probably nothing more than the fact that HID isn't using one of the ISO standard tags.

Re:Proximity vs RFID (1)

cbeaudry (706335) | more than 7 years ago | (#18171644)

I am not a sales person. But in fact the Engineer who sets the sales people straight. But I'll admit, I did comment using my standard sales approach, meaning, giving too much information, is like not giving enough. You are right, proximity cards, whatever technology are RFID. I did not specify this, because many assume when they hear RFID nowadays that we are talking about Active tags. I used that assumption to make my point.

Proximity vs RFID vs What? (1)

BenEnglishAtHome (449670) | more than 7 years ago | (#18170552)

OK, I know nothing about these systems so I'm going to ask a stupid question. The very first time I ever saw an access control that opened a door lock when a card-bearer approached was in the giant Compaq retail/factory warehouse clearance outlet in Houston, more than a decade ago. (Great place. Old stock, reconditioned stuff, and odds 'n ends out the ying-yang, all at firesale prices and the staff actually worked for Compaq, meaning they knew what they were doing.) That system opened the door between the public space and the employee offices whenever an employee got within 10-12 feet of it. The door in question was at the end of a short hall that you had to traverse to get to the public restrooms. Whenever any employee set foot into that hall, there was a big *Klunk* as the door unlocked. They unlocked the door even when they were just going to the bathroom. I think the system was prototypical and it certainly had problems, but I was always fascinated by it.

What sort of access control tech would open locks from that sort of distance?

Re:Proximity vs RFID vs What? (1)

cbeaudry (706335) | more than 7 years ago | (#18171882)

That was probably what we call a REX (Request to Exit) device.

Motion detector type REX's, or infra red heat detectors.

Some are of very poor design and will capture any motion or heat up to 20 feet ahead and as wide.

Some are very precise, where you can narrow the beam to such a point where it captures no more than 1 foot wide, 1 foot from the door, and about a few inches wide accross the door handle, no more.

Sitting down now compromises security (1)

kenj0418 (230916) | more than 7 years ago | (#18169336)

From TFA:
> Kathleen Carroll, a spokeswoman for HID's Government Relations group acknowledged that a letter was sent to IOActive but that it did not mention patent infringement. She said that the company has long been aware that its proximity cards are vulnerable to hacking but does not believe that the cards are as vulnerable as Paget suggests.
> "For someone to be able to surreptitiously read a card, they'd have to get within two or three inches and get into the same plane as the card," Carroll said.

Oh, do you mean like placing a reader under a seat at the bus station? I'm pretty sure that my ass is in the same plane as the seat and my wallet is right there too.

Why can't companies whose job is security do security right?

-K

Re:Sitting down now compromises security (1)

PatPending (953482) | more than 7 years ago | (#18169410)

Why can't companies whose job is security do security right?
Likely for the same reason that companies whose job is software can't do software right. (A) It's very difficult (B) Lowered standards/expectations of consumers (C) There's money to be made from a cycle of "upgrading"

Sigh.

The demo is cancelled.... (4, Informative)

8127972 (73495) | more than 7 years ago | (#18169416)

Gah (1)

Phanatic1a (413374) | more than 7 years ago | (#18169730)



"I don't like it when really big companies throw their weight around," Jeff Moss, founder of Black Hat conferences, said on the Tuesday conference call. "This threatens the whole conference business."


What are you thinking, Jeff?

In 2005, you canceled a presentation because you received a legal threat from Cisco. You demonstrated to any company out there, that if they don't want a presentation to happen, all they need to do is send a scary warning on some official letterhead, and Black Hat will cancel the presentation.

And now you realize that this threatens the whole conference?

Re:The demo is cancelled.... (2, Interesting)

dean.collins (862044) | more than 7 years ago | (#18169954)

i dont know why these companies incorporate in the first place if they are worried about being sued. you incorporate a company for each event with $1 assets and liquidate after each show. big deal. only way to get presentations pulled then is through injunction before the event. Dean

Faraday Covers (1)

Pym (8890) | more than 7 years ago | (#18169588)

FYI, the new passports featuring RFID chips also have Faraday cage-like covers to block the transmission when the passport is closed. At least one article:

http://www.pcworld.com/article/id,120292-page,1/ar ticle.html [pcworld.com]

From article: "Texas Instruments, a major manufacturer of RFID chips, confirmed that a properly designed cover could block the RFID signal.

'Stitching a metal web into the cover creates a Faraday cage,' says V.C. Kumar, manager for emerging markets at TI. 'It kills the RFID signal.'"

I'm no expert on the things, so defer to others on if the presentation addresses this suggested solution or not.

Re:Faraday Covers (1)

Arimus (198136) | more than 7 years ago | (#18170590)

Don't faraday cages have to be earthed somehow? (Just a minor point.... ;) )

Re:Faraday Covers (0)

Anonymous Coward | more than 7 years ago | (#18171432)

I keep my entry badge in an Altoids tin, and it certainly doesn't scan until I open the tin.

Re:Faraday Covers (1)

Arimus (198136) | more than 7 years ago | (#18172134)

There is a difference between a tin and a faraday cage...

RFID should just be PART of Security (3, Informative)

Critical Facilities (850111) | more than 7 years ago | (#18169828)

We're able to make copies of keys, yet they're still widely used as "security" measures in offices worldwide. Why is this any different? I've always been taught that a successful Security strategy is comprised of the 3 concepts:

What you have - your ID badge/card
What you know - the PIN associated with that card
Who you are - a fingerprint/retinal scan/etc to be used with that card

The point is, ok, someone figured out how to easily clone RFID enabled "access cards". Is it the manufacturer's fault that many places rely SOLELY on those badges for their perimiter/access control? If your facility is truly "secure", there should be at LEAST the requirement of a PIN typed in along with a card swipe as well as cameras, physical security, and other standard procedures. If your facility's management has opted to rely on the cards as the only means of controlling who enters and when, then blame that same management if a problem happens. The term "security" is very subjective. What might pass for your average office building would never pass at a serious Datacenter or other Critical Facility.

Cant he just apply for a new patent ? (1)

jusDfaqs (997794) | more than 7 years ago | (#18170208)

According to patent laws at present;

1.130 Affidavit or declaration to disqualify commonly owned patent or published application as prior art.
- Appendix R

1.130 Affidavit or declaration to disqualify commonly owned patent or published application as prior art.
(a) When any claim of an application or a patent under reexamination is rejected under 35 U.S.C. 103 on a U.S. patent or U.S. patent application publication which is not prior art under 35 U.S.C. 102(b), and the inventions defined by the claims in the application or patent under reexamination and by the claims in the patent or published application are not identical but are not patentably distinct, and the inventions are owned by the same party, the applicant or owner of the patent under reexamination may disqualify the patent or patent application publication as prior art. The patent or patent application publication can be disqualified as prior art by submission of:

(1) A terminal disclaimer in accordance with 1.321(c); and

1.321(c)
c) A terminal disclaimer, when filed to obviate judicially created double patenting in a patent application or in a reexamination proceeding except as provided for in paragraph (d) of this section, must:
(1) Comply with the provisions of paragraphs (b)(2) through (b)(4) of this section;
(2) Be signed in accordance with paragraph (b)(1) of this section if filed in a patent application or in accordance with paragraph (a)(1) of this section if filed in a reexamination proceeding; and
(3) Include a provision that any patent granted on that application or any patent subject to the reexamination proceeding shall be enforceable only for and during such period that said patent is commonly owned with the application or patent which formed the basis for the judicially created double patenting.


Can't he give the original filer the credit for "Prior Art" or, File a "New Patent" on the "HACK"? Plainly outlined, demonstrated and documented, hold a press conference to describe in detail the application filing and be done with it?

Oh the fun of defending free speech!

Must be free to highlight problems (2, Insightful)

bytesandpieces (1069308) | more than 7 years ago | (#18170454)

The work of computer security professionals to reveal RFID vulnerabilities is integral to ensuring that the privacy, personal security, and public safety of millions of Americans are properly safeguarded.

With the Department of Homeland Security expected to release the Real ID regulations very soon and dictate what type of machine readable technology will be in every drivers' license and whether it will contain RFID chips, and the Department of State starting to roll out RFID-embedded passports, it is particularly important that the government and the public have all the information about RFID technology and understand that the use of RFID technology without proper protections can seriously threaten privacy, personal security, and public safety.

Lots more info about this story and RFID vulnerabilities at www.aclunc.org/techblog

Patent? (0)

Anonymous Coward | more than 7 years ago | (#18171386)

Can someone explain to me what a patent on the technology has to do with a presentation? Patents are, by definition, public material. They are supposed to describe some device and in exchange for making that information public the government grants the holder certain rights for a limited period of time. Making it public does not mean that it is public domain in the sense that it is free for the public to use, rather that the information about the device is public. So, how could talking about a patent be a breach of patent laws? If they were selling a device that was based on patent protected designs, then that's one thing. But TALKING about a product doesn't seem like it should be covered under patent law. If it were a trade secret, or the presenter was reading directly from a copyrighted work then that's something else, but a presentation on a patented product???

I'm obviously not a lawyer, edumacate me.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?