Tech Firm: Our Secrets Are More Important Than Yours

Twenty dollars worth of equipment can steal private information from chips embedded in many passports and "touchless" credit cards, according to security researcher Chris Paget. 

But the company who makes the chips has blocked him from explaining the flaw to others, saying it would violate their intellectual property rights.

Paget, the director of research and development for computer security company IOActive, planned on giving a presentation at a conference in February on the dangers of radio frequency identification (RFID) chips. The devices store information and share it wirelessly, allowing data to be collected from a credit card or a passport by simply swiping the item past a reader. The same technology is used for express toll lanes, such as the E-Z Pass system used by several states.

Using about $20 worth of equipment bought on eBay, Paget wanted to show the audience how easy it was to make a handheld reader that could copy RFID signals.  "It's not complicated," Paget told ABC News. "If you can understand an off-the-shelf electronics hobby kit...then it's easy."

But HID Global, the company that produces the chips Paget used as an example, sent Paget a letter telling him his presentation infringed on its patents for legitimate RFID card readers.  Paget says the company threatened litigation if he would not stop.

Click Here for Full Blotter Coverage.

Unable to afford a legal battle, Paget removed the disputed information from his presentation.  He has posted a redacted version of his presentation on the IOActive Web site.

"We've been forced to give up all our RFID research," Paget said, "Using patent law in this way is a horrific blow to the security community, when the big corporations stifle researchers by wielding this big legal axe."

Kathleen Carroll, director of government relations for HID Global, said that it was "absolutely not" the company's intention to stifle researchers.  She cited an unwritten code of conduct for hackers who uncover security flaws.  "HID appreciates the information hackers bring as long as they act responsibly.  They're supposed to come to us first," she said.

Both Paget and Carroll agree that people have known about this particular security flaw for some time.  And both say that most devices, including passports, have other security measures to protect personal information.  But unauthorized signal reading is the first step in cracking these more complex devices. 

"All we were trying to do was raise awareness of the issue," Paget said, "We're disappointed.  There are a lot of ways the technology could be improved."

Join the Discussion
blog comments powered by Disqus
You Might Also Like...