Black Hat event features RFID tiff, cybercrime update

WASHINGTON, D.C. – The Black Hat federal event in Washington, D.C. last week naturally showcased such speakers as a U.S. Department of Defense crime fighter, but it was controversy over a presentation about RFID security that generated the most noise.

IOActive, a small security consulting company, brought out some big guns to help defend itself against an RFID giant at the conference on Wednesday. Leveraging the American Civil Liberties Union (ACLU) and the U.S. Department of Homeland Security (DHS), IOActive hosted a panel discussion that turned into a pep rally to support its fight to disclose RFID security flaws that were detailed in a presentation quashed by RFID card vendor HID.

Chris Paget, IOActive’s director of R&D, originally planned to give a presentation titled “RFID for Beginners” that contained source code and schematics for building a device that can read RFID cards. The point of the demonstration was to show the security weaknesses of RFID technology – including HID’s building access cards, according to show materials. “The whole goal of this presentation was to get the information out there about how easy it is to clone these cards,” Paget said.

Legal action

Following what IOActive described as threats by HID of legal action regarding patent infringement leading up to the conference, Paget instead gave an edited version of the presentation, eliminating portions about security flaws in RFID.

The presentation, which ended up being a basic explanation of how RFID works, was followed by a panel discussion with speeches from the ACLU concerning the security and privacy issues surrounding RFID, and from DHS’ U.S. Computer Emergency Readiness Team about the importance of disclosing security flaws in technology.

Jeff Moss, founder and director of Black Hat, said the episode “is flashing me back to CiscoGate days,” referring to a similar incident two years ago at a Black Hat conference when then Internet Security Systems research analyst Michael Lynn gave a technical talk explaining how Cisco routers could be compromised remotely. That resulted in legal action and his dismissal from ISS.

Power of digital evidence

In the conference’s keynote address, a retired special agent said the emergence of digital evidence means investigators now have many more ways to find out who committed a crime and how, but it also means wading through near-endless amounts of data to arrive at those answers.

Jim Christy, now director of the Future Explorations unit of the Department of Defense’s Cyber Crime Center, said that considering all the electronic devices that the average person uses in the course of a day and how much information they collect, digital evidence can give investigators insight into a crime like no other type of evidence.

“I think digital evidence is more powerful than DNA evidence,” Christy said. “It can answer who, what, where, why and how; DNA can only tell you who.”

1% of criminal cases

Only about 1% of criminal cases introduce DNA evidence – contrary to what typically is portrayed on television crime dramas – because most of the time it’s not relevant, he said.

Christy walked the audience through an average person’s day and the digital trail of information collected about her actions. That trail includes the alarm clock that tells what time he woke up, a gas station video camera that taped when she pumped gas, and the cell phone that logged the times and recipients of her calls.

Searching through the information collected by devices can paint a more complete picture of a suspect than any other medium can, he said. For example, investigators can learn suspects’ movie preferences, biometrics, hobbies and possible motives through e-mail and instant-messaging conversations – even what they scoured a search engine for, he said.

“There’s a tremendous amount of evidence out there to help prove or disprove allegations,” Christy said. “The bad news is, the volume is tremendous.”