RFID disputes prompts DHS investigation
Black Hat conference atwitter after HID prevents IOActive from disclosing its tags’s vulnerability; DHS’s Computer Emergency Response Team will take a closer look at the issue
DHS’s Computer Emergency Response Team has inserted itself into an an unpleasant rift between Seattle, Washington-based consulting firm IOActive and Irvine, California-based HID. According to the Dark Reading Web site, both companies were scheduled participants at last month’s Black Hat IT security conference in Washington, D.C. IOActive, however, did not participate for very long after HID learned that the company intended to demonstrate how to hack one of its RFID chips. “[We asked them] not to specifically target HID any more or less than any other vendor and to present solutions” to the problem, said HID’s Mike Davis. “It was not a cease and desist” order, he said, in response to claims that the company had threatened a lawsuit.
Nevertheless, if IOActive could not publicly detail its concerns, it suceeded in casting aspersions on HID’s product — aspersions that seemed doubly justified after the latter company’s threats. “IOActive’s intention was to raise awareness among security practitioners regarding the vulnerabilities of this technology, and to highlight the idea that no technology should be the sole mitigating control protecting important organizational assets,” said company president Joshua Pennell. Soon after the cancelled presentation, IOActive held a panel discussion with the American Civil Liberties Union and DHS’s computer team to examine the issue. As a result, DHS has decided to move forward and examine the alleged RFID vulnerabilities.
-read more in this DarkReading report
