Researchers from IOActive had planned to demonstrate how the ID cards could be duplicated, showing how the badges might put a security system at risk. The demonstration was slated to be part of the Black Hat conference, a gathering of security consultants and others that often features demonstrations of system flaws, device vulnerabilities, and faulty code.

IOActive's chief executive, Joshua Pennell, noted in a conference call with reporters that the demo was canceled due to legal threats from HID Global, a seller of access control systems. Pennell stated that his company decided not to go forward and risk litigation, which could be devastating to a small company like IOActive.

Other Side

HID issued a statement that noted it did not make any threats, although it did inform IOActive of HID patents and stated that it would protect its intellectual property, according to news reports.

The company added that it was surprised the talk was called off, and acknowledged that, under certain conditions, it is possible to clone an access card.

The patent dispute could prompt more discussion of RFID security, already a hot topic in many security circles. At last year's Black Hat conference, a researcher demonstrated how passports that have radio tags could be duplicated, and suggested that building access cards could also be cloned.

Also likely to be a talking point in future discussions of this issue is the role of patents in security work. The topic was the subject of debate a few years ago, when a presentation on vulnerabilities in Cisco software was pulled from a conference over threat of litigation.

Security Office

The tussle between security researchers and the access control manufacturer highlights ongoing challenges about disclosure in the entire security community, said Ron O'Brien, senior security analyst at security firm Sophos.

Usually, the protocol for finding and reporting flaws involves letting a manufacturer or developer know first, and then waiting for a patch to be created before taking credit and releasing information about a vulnerability, O'Brien noted.

"A conference like Black Hat is designed to make vulnerability discovery into a collaborative effort, but the problem is that once you do that in a public show, there may be people who go against standard practice," he said.

RFID, in particular, is a tricky area because there is still speculation among researchers about whether it can be secured sufficiently. The fact that there might be conflict over IOActive's planned disclosures is not surprising, he said.

"When you get into things like demos of RFID vulnerabilities, it's a very gray area," said O'Brien. "Or, more accurately, it's a red area, because there's real danger here of educating people who might use the information maliciously."