Feeds

State bill would turn RFID researchers into felons

If white hats are outlawed...

  • alert
  • submit to reddit

Top three mobile application threats

The sponsor of a controversial bill before the Nevada legislature has promised to introduce amendments after security experts and civil libertarians warned it would make felons of people studying privacy threats involving RFID, or radio frequency identification.

In its present form, Senate Bill 125 (PDF) would make it a felony for anyone to possess, read or capture the personally identifying RFID information of others without their consent. Without changes, the legislation would prevent the testing and demonstrating of RFID weaknesses in a state that hosts Defcon and Black Hat, the biggest hacker conference and one of the biggest security conferences respectively.

State Senator David Parks, the original sponsor of the bill, said he intends to amend the bill on Monday to exempt people carrying out "legitimate research." Security experts say that is important because the bill as it's now written would seriously impinge on their ability to test the security of RFID in real-world scenarios.

"The ability to be able to take this RFID technology into the real world and actually show it to people is pretty crucial because there is a lot of misunderstanding about the technology and people need practical demonstrations of things in order to understand the weaknesses in it," said Chris Paget, who last month demonstrated a low-cost mobile platform that can clone large numbers of unique RFID tags embedded in US passport cards and next generation drivers licenses. "It definitely needs an exception."

Paget's $250 RFID war-driving device managed to clone three passport card RFID tags during a 20-minute drive in downtown San Francisco. The exercise was legal because it was conducted in California, where an anti-skimming measure that became law last year expressly exempts skimming "in the course of an act of good faith security research, experimentation, or scientific inquiry."

The safe-harbor provision was added after the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California pushed for it. Lee Tien, a senior staff attorney for the EFF, said a similar exemption is needed in Nevada as well.

"Because the privacy risks of RFID include the likelihood that malevolent entities will 'skim' individuals' RFID-enabled devices in public places without their knowledge, it is important that security researchers be able to lawfully demonstrate that these vulnerabilities exist in real-world settings – not only in controlled conditions," he wrote in a letter sent to the Senator Terry Care, Chairman of the Senate Judiciary Committee, where the bill will be introduced Monday.

Nevada is one of a handful of states with a legislature that meets only once every two years. That means legislation often moves very quickly with little opportunity for changes.

"We have a politically realistic window of Monday morning at 9 am in Carson City to let the legislators know that there is a major problem with this bill," said Ira Victor, president of the Sierra Nevada chapter of InfraGard, which acts as a liaison between the FBI and private enterprise to protect cybersecurity and critical infrastructure.

That's 9am Nevada time. The hearing is expected to be viewable by webcast at this link. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.