Brief: Black Hat Spat Shows Security Researchers Walking A Fine Line

In an eleventh-hour change of heart, a security research firm at last week's Black Hat conference went through with a presentation on RFID weaknesses--though without mention of a vendor that had threatened to hold it liable for exposing intellectual property.

The spat between researcher IOActive and HID Global is reminiscent of a 2005 dustup in which Cisco Systems sued researcher Michael Lynn for his presentation at the security conference. Lynn showed how hackers could control a company's Cisco-powered network if it left a vulnerability unpatched. Cisco later dropped the suit.

At last week's conference, IOActive at first pulled its presentation, "RFID For Beginners," amid HID's assertion that IOActive risked "liability." After hours of negotiation, IOActive gave a presentation that removed HID and its schematics and source code.

The kerfuffle shows how delicate a line security researchers walk when presenting their work to the public. IOActive says its intention was to demonstrate, by showing proximity access card vulnerabilities, that no single technology could be counted on for security.

All major tech vendors face the security research community's scrutiny, but most understand the necessity of enduring it. "If one guy finds a problem, then 10 guys have found it," says James Lewis, a director at the Center for Strategic and International Studies.

It's no secret proximity cards can be exploited; IOActive gave a similar demo at February's RSA Conference, and HID has acknowledged vulnerabilities. We can count on two things: Flaws in tech products and spats over the researchers discussing them.