The annual Black Hat conference in Las Vegas has become one of the premier venues for exposing lax security practices that put the unwashed masses at risk. In an interesting twist, a researcher is calling out conference organizers for supplying 4,500 attendees with an RFID-enabled badge that has widely known security weaknesses …
Public data encryption
Ummm. maybe i am missing the point. So the complaint is that Black Hat did not encrypt data that requires no encryption. So they are supposed to encrypt stuff only because they are a security organization? I also know for a fact that the information on my paper badge was in plain English too. I am pissed. Next year they should at least make the badges and all reference material in ancient Egyptian hieroglyphs.
One interesting security angle to this is that if the cards can be changed maliciously, then any data gathered from a card reader must be considered potentially malicious, and sanitized before use.
I'd bet that there are a quite a few apps out there which make the assumption that the data on a card will be in perfect condition, and certainly not actively trying to break something.
*changes name to jeff' or 1==1; -- a la XKCD :)
I thought that the whole point in the badges was that they're hackable. Don't they do this every year? Waiting for a 'whoosh'.
Missed the point?
Er, surely using badges with well publicised security flaws for playing vendor bingo is irony? Sounding off at Black Hat for using an insecure system where security isn't needed - and one which is wrongly used where security *is* needed - shows someone completely missing the point. Or am I being blonde?
I would think that would be a good thing. Changing your info to give false ones to the vendor's so they don't call everyday.
Not Black Hat. The Vegas event taking place on the subsequent weekend, DEFCON, encourages attendees to hack their badges. A fine tradition, and I believe there is even a contest around it. I've always been too busy playing"spot the Fed"to whip out some C code for a PIC, however.
"The new Black Hat badges are intended as a way for attendees to wirelessly zap their contact information to vendors"
"the badges don't store attendees' personal information, so even if someone cracks a card, no one's privacy is compromised"
So is contact information, personal information? I would think so, I don't want every vendor and hacker trying to email me. While writing my email address in a log book, or handing them a business card isn't 3leet hacker secure, broadcasting my info to everyone at a hacker con IS kinda lame.
And the thing is, they probably required you to provide a valid email address when you registered, then programmed it into this thing and said here you need to walk around with this.
Step 1. steal my name and email address from my ID and the friend I'm walking around with.
Step 2. forge email from friend to me, hell spoof a whole conversation with link to a cool new website.... I'm sure it's safe.
I initially thought that too, but on second thoughts:
1) In order to clone someone's card, you need to read data from the real card.
2) In order to use a cloned card to get someone's contact info from the back-end database, you need access to the database.
If you can carry out both of those steps, chances are you could just have got their details from the database anyway by swiping the card, without any breach of the card's security, since that's what the system was designed to do.
There may be some attack which becomes possible by splitting the usual process into two distinct steps as above, or there may not. There are also some nuisance and alibi-style attacks, where you use a clone of someone's card to sign them up for stuff when they're not actually present. If the card were used for entry to the event as well, then of course you could use a clone of someone's card to get in free (and possibly stop them getting in).
But I'm not sure that the cloning weakness actually allows access to any personal data that isn't already accessible simply by swiping the card. Maybe the Black Hat organisers will comment.