Security Researchers and Vendors Clash at Black Hat, Users Lose
The dustup revives the issue of how much license security researchers should be given when presenting their findings in the name of better security.
Perhaps the most interesting aspect of Wednesday's Black Hat conference sessions is what attendees won't see today. Missing is the session "RFID for beginners," which was pulled after access-control security provider HID Global Corp. got wind of presenter IOActive's plans to include patented HID intellectual property in the presentation.
The real controversy, however, is the impact this could have on the safety of RFID proximity badge technology.
HID claims that IOActive's presentation contained HID schematics and source code protected by patents and that HID earlier this week worked with IOActive to try to get the risk management and security services firm to modify its presentation. "We encouraged them to go forward as long as it didn't infringe on our intellectual property," says Kathleen Carroll, HID's director of government relations.
Although IOActive could not be reached in time for this story, a message on the company's Web site tells a slightly different story, where HID wanted the presentation shut down completely. "HID Global Corporation learned of our intended briefing, contacted IOActive, and demanded that IOActive refrain from presenting our findings at the BlackHat [sic] Convention, on the basis that 'such presentation will subject you to further liability for infringement of HID's intellectual property,'" according to a statement from IOActive founder and president Joshua Pennell.
Regardless, both companies agree that IOActive ultimately initiated the withdrawal of its presentation. This latest Black Hat dustup revives the issue of how much license security researchers should be given when presenting their findings in the name of better security.
IOActive already demonstrated ways to exploit proximity access cards earlier this month at the RSA Security Conference, and HID has already acknowledged certain vulnerabilities in its proximity card technology. At RSA, IOActive showed attendees how a proximity access card, of the kind that HID sells, could be cloned and used to gain access to an otherwise secure facility.
HID claims that it did not know about IOActive's RSA demonstration until HID employees found out about it at the show. HID and IOActive made contact in the weeks following the RSA conference, with the result of HID last week sending IOActive a letter telling the security research firm that they could be infringing on HID intellectual property, Carroll says. "On February 26, we asked to see the information to make sure they actually had our intellectual property," she adds. "They were unwilling to share with us anything other than a three-sentence synopsis of their presentation at Black Hat." That's when HID stepped up its efforts to, depending on whom you ask, either amend or cancel its presentation.
IOActive contends that its intention was to raise awareness among security practitioners regarding the vulnerabilities of proximity access card technology, and "to highlight the idea that no technology should be the sole mitigating control protecting important organizational assets," Pennell's statement says. Instead, "under advice of our counsel, IOActive has withdrawn its presentation at the BlackHat [sic] Briefings, in order to address the demands of HID Global Corporation, and to protect IOActive's researchers from adverse action."
While HID was "completely surprised" that IOActive pulled its entire presentation, Carroll says she doesn't think this will have a chilling effect on other security researchers. For one, while HID acknowledges that it's possible to clone some of its proximity access card technology, IOActive's demonstration was done in a controlled environment that didn't close enough resemble how proximity cards are used in business and governmental security settings. IOActive says on its Web site that its research sought to validate theoretical attacks on proximity access card technology by taking them out of the academic realm and verifying "through actual implementation that such attacks might be practical and easily carried out."
Just like a presentation at a previous Black Hat conference that Cisco sought to shut down out of concern that flaws in its networking equipment would lead to security breaches, Wednesday's cancellation indicates that vendors and the security researchers they both love and hate have not yet found the right balance between disclosure and discretion. HID acknowledges that when it first introduced its proximity card access technology years ago, it was unaware that its cards could be cloned and used for malicious purposes. In fact, it was security researchers, most notably former University of Waterloo electrical engineering student Jonathan Westhues, who first pointed this out to HID.
But HID's Carroll likens a researcher's responsibility to reveal the truth about a technology's security to the same give and take associated with the First Amendment, which allows for free speech but doesn't protect an individual from panicking a crowd in a confined space by falsely claiming that a fire has broken out.
In the end, IOActive's inability to present its findings to the security community does a disservice to those looking to implement the best security technologies to protect their organizations. Let's hope security researchers and the vendors they target can get on the same page prior to the Black Hat's next U.S.-based conference in July.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.