Surprise: Attempt To Suppress Security Research Blows Up In Company's Face
from the instant-karma dept
The big story out of last week’s Black Hat security conference was that HID Global, a maker of RFID-based door entry cards, managed to prevent a demonstration of how their products were vulnerable to cloning. What made their threats particularly odious was their claim that the presenters were somehow engaging in patent infringement by demonstrating the attack. More broadly, however, this kind of intimidation is almost always a mistake. It only made the company look like bullies with something to hide. It seems that the company may already be paying the consequences for its heavy-handed actions, as the DHS is said to now be examining the vulnerability further. HID Global is now backtracking, saying that it never intended to prevent the presentation from happening, although they don’t seem to explain how everybody got that impression. Either way, any hope that the company had in keeping this threat quiet is now totally lost.
Comments on “Surprise: Attempt To Suppress Security Research Blows Up In Company's Face”
Change Icon
I think it’s time you create a “Barbra Streisand” icon to identify these types of stores 🙂
Re: Change Icon
I second that motion.
Hmmm...
If HID Global really wants to convince anybody that a claim of patent infringement and suing IOActive down to their belly-button lint wasn’t intended to prevent the demo, they’re going to have to take drastic action.
May I suggest that they take the lawyer who wrote the letter AND the president of HID out, and, in public, string them up by their thumbs and give them fifty scarring lashes?
Of course, this is NOT intended to advocate any sort of punitive action against HID or anyone associated with it.
Aren’t we due an energy efficent light bulb logo before we get one of Babbs?
DHS? Really?
I’m not sure on what grounds the DHS is investigating this. I mean, not unless it’s personal or something.
“Hey, Bob, come check this article out.”
“Hmmm. Yeah? So?”
“Well, aren’t those the keycards that WE use?”
“Ohhhhhh…. shit.”
Re: DHS? Really?
Actually, you’re pretty close. Aren’t something like 300 million cards like this in use around the country? I have two here on my desk: one from my former Unix OS Developer job, and now for my current Government Security Analyst job. Which system would DHS prefer not be hackable by their imaginary nefarious people? the OS which drives the stock market, or the unnamed government office where I may or may not currently work?
This is one DHS effort which, at last, doesn’t make them look bumbling and stupid.
Patent Laws Should Stop ID Theft
Gosh, I think that if people knew that cloning security cards violated a patent, they wouldn’t do it. I would imagine that a well run, professional criminal organization would do patent checks on all of the devices that they develop in their criminal career.
I’ve used the RFID cards, and I have seen how little time they take to have a new value written on one. THe machines for writing them are readily avaliable, as are the machines for printing ID cards, so making a fake ID card with key would not be too difficult. Presumably HID sells writers for these cards so they can be re-used.
Our evaluation
We have dropped HID from consideration in our corporate ID card implementation. Since they don’t support open discussion of security issues we cannot be assured they provide a secure prouct and more importantly, feel security is important.