Feeds

State bill would turn RFID researchers into felons

If white hats are outlawed...

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

The sponsor of a controversial bill before the Nevada legislature has promised to introduce amendments after security experts and civil libertarians warned it would make felons of people studying privacy threats involving RFID, or radio frequency identification.

In its present form, Senate Bill 125 (PDF) would make it a felony for anyone to possess, read or capture the personally identifying RFID information of others without their consent. Without changes, the legislation would prevent the testing and demonstrating of RFID weaknesses in a state that hosts Defcon and Black Hat, the biggest hacker conference and one of the biggest security conferences respectively.

State Senator David Parks, the original sponsor of the bill, said he intends to amend the bill on Monday to exempt people carrying out "legitimate research." Security experts say that is important because the bill as it's now written would seriously impinge on their ability to test the security of RFID in real-world scenarios.

"The ability to be able to take this RFID technology into the real world and actually show it to people is pretty crucial because there is a lot of misunderstanding about the technology and people need practical demonstrations of things in order to understand the weaknesses in it," said Chris Paget, who last month demonstrated a low-cost mobile platform that can clone large numbers of unique RFID tags embedded in US passport cards and next generation drivers licenses. "It definitely needs an exception."

Paget's $250 RFID war-driving device managed to clone three passport card RFID tags during a 20-minute drive in downtown San Francisco. The exercise was legal because it was conducted in California, where an anti-skimming measure that became law last year expressly exempts skimming "in the course of an act of good faith security research, experimentation, or scientific inquiry."

The safe-harbor provision was added after the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California pushed for it. Lee Tien, a senior staff attorney for the EFF, said a similar exemption is needed in Nevada as well.

"Because the privacy risks of RFID include the likelihood that malevolent entities will 'skim' individuals' RFID-enabled devices in public places without their knowledge, it is important that security researchers be able to lawfully demonstrate that these vulnerabilities exist in real-world settings – not only in controlled conditions," he wrote in a letter sent to the Senator Terry Care, Chairman of the Senate Judiciary Committee, where the bill will be introduced Monday.

Nevada is one of a handful of states with a legislature that meets only once every two years. That means legislation often moves very quickly with little opportunity for changes.

"We have a politically realistic window of Monday morning at 9 am in Carson City to let the legislators know that there is a major problem with this bill," said Ira Victor, president of the Sierra Nevada chapter of InfraGard, which acts as a liaison between the FBI and private enterprise to protect cybersecurity and critical infrastructure.

That's 9am Nevada time. The hearing is expected to be viewable by webcast at this link. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.