Now I'm less convinced than ever that HID is tuned into this whole Information technology thing, with its confusing array of computers, software, networks, vulnerability assessments, hackers, and IT security. I guess it's just too much for an old fashioned company like HID to really comprehend.
So it shouldn't surprise us that shortly after I wrote about IOActive's cleverly designed proximity card cloner, HID threatened to sue the little company to keep it from talking.
Here are two related stories
Reality Check
and
Lawsuits
IOActive is a security company whose sole purpose is to make computing and networking systems stronger, better, and safer to use. By constructing a simple device using $20 of parts available mostly from Radio Shack, the company could demonstrate the fundamental lack of security that ALREADY EXISTED in proximity cards and readers, like those from HID.
HID marketing materials actually promote that weakness in order to highlight the relative security of the "smarter" iClass cards. But does HID want the IT security community to help its clients to improve security and eliminate the false sense of security they may have from using insecure prox cards? No. HID would rather sue.
By threatening to sue - or whatever it was that they threatened to get IOActive to not share their best practices with the rest of the world - HID probably will bring down the wrath of the unharnessed cracker (evil-hacker) community. I predict that HID's little performance withe IoActive and the Black Hat conference will only draw hacker and cracker attention to the problem.
When hackers get together and giggle about cracking HID cards, the jig is up. It's time for a forklift upgrade to iClass or other higher security products. It's not time to sue fellow security professionals who simply want to fix a problem that HID has ignored.
Comments