Software // Information Management
News
2/28/2007
04:57 PM
50%
50%

Black Hat 'RFID' Compromise Is A Win For Security

The deal between HID and IOActive shows how delicate a line security researchers walk when they seek to present their work to the public.

In an eleventh hour change of heart, risk management and security services firm IOActive Wednesday went through with its Black Hat conference RFID security presentation, minus any mention of access-control security provider HID Global Corp.

HID pressured IOActive to remove all references to the company and its products; claiming that IOActive's original presentation included patented HID intellectual property.

IOActive as of early Wednesday had decided to pull its entire presentation, entitled "RFID for beginners." But after hours of negotiation with HID, IOActive ultimately decided to deliver a revised presentation. Whereas the original IOActive presentation contained HID schematics and source code protected by patents, the presentation that Black Hat attendees saw made no mention of HID or its technology by name.

The back and forth between HID and IOActive proves just how delicate a line security researchers walk when they seek to present their work to the public. IOActive contends that its intention was to raise awareness among security practitioners regarding the vulnerabilities of proximity access card technology, and "to highlight the idea that no technology should be the sole mitigating control protecting important organizational assets," company founder and president Joshua Pennell said in a statement on IOActive's Web site.

Technology vendors have not been able to escape the security research community's growing reach, and those with any sense understand the necessity of occasionally enduring the glare of the spotlight. "If one guy finds a problem, then 10 guys have found it," says James Lewis, director of the technology and public policy program for the Center for Strategic and International Studies, a bipartisan, nonprofit Washington, D.C. policy think tank. "The speed at which cyber criminals look for and often find vulnerabilities is startling."

Just as crucial, however, is the security researcher's willingness to give vendors a chance to fix any security problems with their products. "When a researcher just posts their findings without giving the company the chance to react, that's a legitimate complaint," Lewis says.

The key is to strike the kind of balance that ultimately was on display at Black Hat between HID and IOActive. "The fact that IOActive went on with its presentation anyway tells me that they understand that the best outcome was not to squash the issue," Lewis says.

IOActive had already demonstrated ways to exploit proximity access cards earlier this month at the RSA Security Conference, and HID has likewise acknowledged certain vulnerabilities in its proximity card technology. At RSA, IOActive showed attendees how a proximity access card, of the kind that HID sells, could be cloned and used to gain access to an otherwise secure facility.

HID claims that it did not know about IOActive's RSA demonstration until HID employees found out about it at the show. HID and IOActive made contact in the weeks following the RSA conference, with the result of HID last week sending IOActive a letter informing the security research firm that they could be infringing on HID intellectual property, says Kathleen Carroll, HID's director of government relations.

IOActive's Web site throughout Wednesday included a statement from Pennell saying, "HID Global Corporation learned of our intended briefing, contacted IOActive, and demanded that IOActive refrain from presenting our findings at the BlackHat [sic] Convention, on the basis that 'such presentation will subject you to further liability for infringement of HID's intellectual property.'"

In the end, IOActive's change of heart does more to further the company's cause and educate security professionals than if the IOActive researchers had packed up and headed for the airport.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.