Feeds

State bill would turn RFID researchers into felons

If white hats are outlawed...

  • alert
  • submit to reddit

Internet Security Threat Report 2014

The sponsor of a controversial bill before the Nevada legislature has promised to introduce amendments after security experts and civil libertarians warned it would make felons of people studying privacy threats involving RFID, or radio frequency identification.

In its present form, Senate Bill 125 (PDF) would make it a felony for anyone to possess, read or capture the personally identifying RFID information of others without their consent. Without changes, the legislation would prevent the testing and demonstrating of RFID weaknesses in a state that hosts Defcon and Black Hat, the biggest hacker conference and one of the biggest security conferences respectively.

State Senator David Parks, the original sponsor of the bill, said he intends to amend the bill on Monday to exempt people carrying out "legitimate research." Security experts say that is important because the bill as it's now written would seriously impinge on their ability to test the security of RFID in real-world scenarios.

"The ability to be able to take this RFID technology into the real world and actually show it to people is pretty crucial because there is a lot of misunderstanding about the technology and people need practical demonstrations of things in order to understand the weaknesses in it," said Chris Paget, who last month demonstrated a low-cost mobile platform that can clone large numbers of unique RFID tags embedded in US passport cards and next generation drivers licenses. "It definitely needs an exception."

Paget's $250 RFID war-driving device managed to clone three passport card RFID tags during a 20-minute drive in downtown San Francisco. The exercise was legal because it was conducted in California, where an anti-skimming measure that became law last year expressly exempts skimming "in the course of an act of good faith security research, experimentation, or scientific inquiry."

The safe-harbor provision was added after the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California pushed for it. Lee Tien, a senior staff attorney for the EFF, said a similar exemption is needed in Nevada as well.

"Because the privacy risks of RFID include the likelihood that malevolent entities will 'skim' individuals' RFID-enabled devices in public places without their knowledge, it is important that security researchers be able to lawfully demonstrate that these vulnerabilities exist in real-world settings – not only in controlled conditions," he wrote in a letter sent to the Senator Terry Care, Chairman of the Senate Judiciary Committee, where the bill will be introduced Monday.

Nevada is one of a handful of states with a legislature that meets only once every two years. That means legislation often moves very quickly with little opportunity for changes.

"We have a politically realistic window of Monday morning at 9 am in Carson City to let the legislators know that there is a major problem with this bill," said Ira Victor, president of the Sierra Nevada chapter of InfraGard, which acts as a liaison between the FBI and private enterprise to protect cybersecurity and critical infrastructure.

That's 9am Nevada time. The hearing is expected to be viewable by webcast at this link. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.