Cancelled hacking demo raises RFID red flag

An incident that may have exposed new security risks inherent in radio frequency identification technology has gained the attention of the Computer Emergency Response Team within the Homeland Security Department.

The dispute occurred Feb. 28 at the Black Hat federal IT security conference in Washington. At the event, consulting firm IOActive Inc. of Seattle said it cancelled its prescheduled demonstration of how to hack an RFID chip due to complaints from RFID chip maker HID Corp. of Irvine, Calif.

A member of the department's computer emergency response team, along with representatives from the American Civil Liberties Union, participated in a panel discussion with IOActive immediately after the cancellation, and they said DHS intends to examine the alleged RFID security vulnerabilities, according to media reports.

IOActive initially intended to demonstrate a device to clone RFID chips. However, it pulled the demonstration, reportedly under threat of legal action.

"IOActive's intention was to raise awareness among security practitioners regarding the vulnerabilities of this technology, and to highlight the idea that no technology should be the sole mitigating control protecting important organizational assets," Joshua Pennell, IOActive's president, wrote in a statement posted on the company's Web site.

Pennell wrote that the company was contacted by HID Global and told to refrain from presenting its findings because of possible patent infringement.

HID has denied that it threatened IOActive or asked it to cancel the briefing.

"Under no circumstance has HID asked IOActive ? to cancel their presentation. In fact, we were surprised by their decision to cancel the presentation and to attribute the cancellation to a threat from HID. This was not, and never was, HID's position," according to a news release distributed by HID on several Web sites.