Time for Tech Companies to Stop Hiding from Security Problems
MythBusters, the television story that experimentally examines urban myths, old wives' tales, and other popular wisdom, apparently backed down from examining RFID security when pressed by legal representatives from Texas Instruments and leading credit card organizations. That may have silenced some uncomfortable examination in the short run, but the companies have worked against their long-term interests.
Show co-host Adam Savage put it bluntly:
"They [MythBusters production team] were way, way outgunned and they [lawyers] made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was. Discovery backed down being a large corporation that depends upon the revenue of the advertisers. Now it's on Discovery's radar and they won't let us go near it."Savage now seems to be stepping back from his remarks:
"There's been a lot of talk about this RFID thing, and I have to admit that I got some of my facts wrong, as I wasn't on that story, and as I said on the video, I wasn't actually in on the call," Savage said in the statement. "Texas Instruments' account of their call with Grant and our producer is factually correct. If I went into the detail of exactly why this story didn't get filmed, it's so bizarre and convoluted that no one would believe me, but suffice to say...the decision not to continue on with the RFID story was made by our production company, Beyond Productions, and had nothing to do with Discovery, or their ad sales department."Looking at the statement literally, however, there is nothing contradicting that pressure from the companies over security issues was the reason an eventual program on RFID never addressed security.
It's not as though the security shortcomings of RFID are secret, but they haven't been common knowledge among consumers. TI, Visa, and the like might have wanted to keep things that way. That action could well blow up in their faces and shows just how clueless a lot of management is when it comes to understanding technology communities.
Sweeping dirt under the rug seems to be a common corporate reaction, and may work for a while. But eventually all that dirt forms a mound that you can't help but trip over, particularly when the topic is security and enough interested and able engineers, programmers, and technical aficionados know about the issue. Savage aired his story at The Last HOPE (Hackers on Planet Earth) summer conference sponsored by 2600: The Hacker Quarterly.
Engineers think and talk. Try to suppress information about serious product shortcomings and you're pouring gasoline on a fire. Professional and amateurs are the reason that we know about DNS shortcomings, iPhone holes, and even a carpet-bombing weakness that Google's Chrome had within 24 hours of the product's release.
The RFID forces could have acknowledged the problems and worked on correcting them, maybe reducing the use of the chips in critical applications. But they didn't. By pressuring to keep the show off the air, the companies have effectively thrown the gauntlet down to people who have the inclination and ability to publicly rub corporate noses in their own mess. And when that happens, it will likely turn into a major media story so widespread that there won't be enough corporate lawyers to hush all the talk.
RFID tagged leaf via Flickr user vanz, CC 2.0.