Feeds

State bill would turn RFID researchers into felons

If white hats are outlawed...

  • alert
  • submit to reddit

SANS - Survey on application security programs

The sponsor of a controversial bill before the Nevada legislature has promised to introduce amendments after security experts and civil libertarians warned it would make felons of people studying privacy threats involving RFID, or radio frequency identification.

In its present form, Senate Bill 125 (PDF) would make it a felony for anyone to possess, read or capture the personally identifying RFID information of others without their consent. Without changes, the legislation would prevent the testing and demonstrating of RFID weaknesses in a state that hosts Defcon and Black Hat, the biggest hacker conference and one of the biggest security conferences respectively.

State Senator David Parks, the original sponsor of the bill, said he intends to amend the bill on Monday to exempt people carrying out "legitimate research." Security experts say that is important because the bill as it's now written would seriously impinge on their ability to test the security of RFID in real-world scenarios.

"The ability to be able to take this RFID technology into the real world and actually show it to people is pretty crucial because there is a lot of misunderstanding about the technology and people need practical demonstrations of things in order to understand the weaknesses in it," said Chris Paget, who last month demonstrated a low-cost mobile platform that can clone large numbers of unique RFID tags embedded in US passport cards and next generation drivers licenses. "It definitely needs an exception."

Paget's $250 RFID war-driving device managed to clone three passport card RFID tags during a 20-minute drive in downtown San Francisco. The exercise was legal because it was conducted in California, where an anti-skimming measure that became law last year expressly exempts skimming "in the course of an act of good faith security research, experimentation, or scientific inquiry."

The safe-harbor provision was added after the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California pushed for it. Lee Tien, a senior staff attorney for the EFF, said a similar exemption is needed in Nevada as well.

"Because the privacy risks of RFID include the likelihood that malevolent entities will 'skim' individuals' RFID-enabled devices in public places without their knowledge, it is important that security researchers be able to lawfully demonstrate that these vulnerabilities exist in real-world settings – not only in controlled conditions," he wrote in a letter sent to the Senator Terry Care, Chairman of the Senate Judiciary Committee, where the bill will be introduced Monday.

Nevada is one of a handful of states with a legislature that meets only once every two years. That means legislation often moves very quickly with little opportunity for changes.

"We have a politically realistic window of Monday morning at 9 am in Carson City to let the legislators know that there is a major problem with this bill," said Ira Victor, president of the Sierra Nevada chapter of InfraGard, which acts as a liaison between the FBI and private enterprise to protect cybersecurity and critical infrastructure.

That's 9am Nevada time. The hearing is expected to be viewable by webcast at this link. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.