HID pressured IOActive to remove all references to the company and its products; claiming that IOActive's original presentation included patented HID intellectual property.
IOActive as of early Wednesday had decided to pull its entire presentation, entitled "RFID for beginners." But after hours of negotiation with HID, IOActive ultimately decided to deliver a revised presentation. Whereas the original IOActive presentation contained HID schematics and source code protected by patents, the presentation that Black Hat attendees saw made no mention of HID or its technology by name.
The back and forth between HID and IOActive proves just how delicate a line security researchers walk when they seek to present their work to the public. IOActive contends that its intention was to raise awareness among security practitioners regarding the vulnerabilities of proximity access card technology, and "to highlight the idea that no technology should be the sole mitigating control protecting important organizational assets," company founder and president Joshua Pennell said in a statement on IOActive's Web site.
Technology vendors have not been able to escape the security research community's growing reach, and those with any sense understand the necessity of occasionally enduring the glare of the spotlight. "If one guy finds a problem, then 10 guys have found it," says James Lewis, director of the technology and public policy program for the Center for Strategic and International Studies, a bipartisan, nonprofit Washington, D.C. policy think tank. "The speed at which cyber criminals look for and often find vulnerabilities is startling."
Just as crucial, however, is the security researcher's willingness to give vendors a chance to fix any security problems with their products. "When a researcher just posts their findings without giving the company the chance to react, that's a legitimate complaint," Lewis says.
The key is to strike the kind of balance that ultimately was on display at Black Hat between HID and IOActive. "The fact that IOActive went on with its presentation anyway tells me that they understand that the best outcome was not to squash the issue," Lewis says.
IOActive had already demonstrated ways to exploit proximity access cards earlier this month at the RSA Security Conference, and HID has likewise acknowledged certain vulnerabilities in its proximity card technology. At RSA, IOActive showed attendees how a proximity access card, of the kind that HID sells, could be cloned and used to gain access to an otherwise secure facility.
HID claims that it did not know about IOActive's RSA demonstration until HID employees found out about it at the show. HID and IOActive made contact in the weeks following the RSA conference, with the result of HID last week sending IOActive a letter informing the security research firm that they could be infringing on HID intellectual property, says Kathleen Carroll, HID's director of government relations.
IOActive's Web site throughout Wednesday included a statement from Pennell saying, "HID Global Corporation learned of our intended briefing, contacted IOActive, and demanded that IOActive refrain from presenting our findings at the BlackHat [sic] Convention, on the basis that 'such presentation will subject you to further liability for infringement of HID's intellectual property.'"
In the end, IOActive's change of heart does more to further the company's cause and educate security professionals than if the IOActive researchers had packed up and headed for the airport.