HID Responds to IOActive Withdrawal from Black Hat Event

Access control vendor says no threats were made, that concern was over intellectual property


IOActive, a tech security and IT engineering company that made waves recently with its claims to be able to clone proximity cards from vendor HID Global, has withdrawn from a Black Hat conference in Washington, D.C. after a session of meetings with HID over issue of intellectual property.

Though InfoWorld reported that HID had "threatened" IOActive, HID's Kathleen Carroll (a regular columnist on SecurityInfoWatch.com) reported that simply wasn't the case.

On the behalf of HID, she released a statement noting that "HID Global did not threaten IOActive or Chris Paget, its director of research and development, to stop its presentation at the Black Hat event." Carroll's statement said that HID was surprised that IOActive had decided to cancel the presentation, and that HID had simply been requesting that IOActive respect the intellectual property rights and not publish HID IP at the show.

The scuffle started recently with a video on InfoWorld where IOActive claimed to be able to clone any HID prox card. Carroll, in a recent column on SecurityInfoWatch.com, noted that while prox cards can be cloned, "controlled setting" hacks like the one Paget and company had orchestrated were not necessarily relevant in the real world, where security is delivered in layers. Paget responded with a statement to the media calling the prox card technology simpler "than a Furby", but said his small company was not in a position to face a legal battle. Carroll has argued that prox card technology is by no means considered the most secure access control technology, and that high-security areas should be using smart card technology -- which has a much higher level of security in the manner with which it transmits data.

This was not the first time issues of legality had affected the Black Hat conferences. At a 2005 event, Cisco Systems attempted to block a presentation on its own vulnerabilities by former ISS researcher Michael Lynn who made the presentation nonetheless (despite protests from his own employer, Atlanta-based ISS). That scuffle drifted on for sometime, with Lynn later going to work for Cisco rival Juniper Networks and in the late summer of 2006, publicly crashing a Cisco party. The security issue had stemmed from a buffer overflow weakness that Lynn had discovered.

See our earlier column on the subject of what it means that HID's prox cards could be cloned.