Looks like HID hasn’t learned anything from Cisco’s experience two years ago. One of these years more vendors will learn how to manage vulnerability disclosure and follow the lead of companies like Microsoft and Cisco rather than sticking their foot in it.
Chris Paget a well respected researcher is going to present at Blackhat Federal tomorrow on how to build your own proximity card cloner. Infoworld broke the story yesterday. Some choice bits:
Asked why HID hasn’t addressed the issue in more recent proximity card systems, after knowledge of RFID threats became common, Carroll said that doing so would cause “major upheaval” among customers.
Inertia is a more likely cause, said Dan Kaminsky, director of penetration testing at IOActive.
“They didn’t want to change to a more secure implementation because of backwards compatibility issues, and they had a lot of sites that use these cards, and HID has stuff to sell them,” Kaminsky said.
Dan, as as always, can be counted on to say something both interesting and provocative:
The technology is very convenient, but don’t interpret the convenience as security,” Kaminsky said. “At the end of the day, many companies are essentially using barcode technology to control access to their facilities. I’d posit that perhaps there are more secure technologies out there.”
Jeff Moss however nails the real issue.
It’s just so frustrating from a security standpoint. Now anytime someone wants to talk about anything, they need a team of lawyers. Even when it’s about commonly understood problems.
[Update: HID is claiming that the talk infringes on their patents. As a result of the litigation threat, Chris Paget/IOActive are pulling the talk and it will be replaced by a presentation from the ACLU about privacy risks of RFID. Hopefully they will also cover the chilling effects of legal threats like this on the entire security industry as well.]
[Update 2: Rob Lemos has much more detail.]