Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

08:40 AM
Connect Directly

RFID Security Service, Tools on Tap

New audit service and appliance to target RFID customers looking to lock down their systems

PacketFocus next week will launch one of the industry's first commercial RFID security auditing services -- and it's building an RFID security appliance as well, Dark Reading has learned.

RFID security has landed front and center during the past few months, with researchers demonstrating the ease of passport-hacking, card-cloning, and SQL injection attacks on RFID systems. Even so, many organizations still run less-secure, early-generation RFID systems, and do little to secure them. (See RFID Under Attack Again, Black Hat Cancels RFID Demo, HID, IOActive Butt Heads Again, and New RFID Attack Opens the Door.)

PacketFocus's new RFID security auditing service will identify policy and procedures for RFID, as well as check out reader and tag security, and how they are configured. "We'll look at passwords, RFID middleware, and how readers communicate with the middleware," says Joshua Perrymon, PacketFocus's CTO. "The service highlights potential vulnerabilities. You need to know what kind of risk you have in your network once you've brought RFID in."

Perrymon expects input validation -- filtering out irrelevant characters -- and how RFID tags and readers handle passwords to be the main weak spots the audits will detect, as well as any policy and procedures an organization has or has not configured, he says. PacketFocus will offer the RFID security auditing service under a under a new division called RFID Audit Group, he says.

Meanwhile, it's also developing an RFID security appliance that detects and reports attacks, called RF Defender, he says. The appliance, which will be priced between $40,000 and $50,000, will sit with the RFID reader, and can be used in both access-control and supply chain-type RFID environments, he says.

"The appliance has multiple sensors and integrates into the RFID environment. We not only look at the RFID reads, we correlate with the middleware and other layers to provide a holistic view of the RFID system. This allows us to correlate events and detect attacks in-depth," he says. The product will detect denial of service, and password-type attacks, for instance.

Perrymon, who says RF Defender won't be officially announced for a couple of months, acknowledges that the RFID security market is still young. "I know it's not huge right now, but it will be very huge in a couple of years."

The ultimate goal of the new RFID security auditing service, he says, is to flip-flop the conventional wisdom of going operational before securing the system: "We're going to do security before going operational."

RFID security expert Adam Laurie says RFID security auditing makes sense. "There's a need for it. At the moment it seems the industry has put blind faith in" RFID, he says. "I think this would be for people to be made aware of what actually are the potential security issues... And the sooner they are addressed, the better."

PacketFocus joins a relatively deserted RFID security market with few suppliers. Netherlands-based Riscure does RFID security testing, for instance, and there's a research project in Europe called RFID Guardian, an RFID firewall.

But Laurie, who at Black Hat Europe showed how it was possible to reprogram RFID tags and duplicate a legitimate user's building cardkey using code based on his RFIDIOt tools, says RFID devices such as a firewall may be overkill. "I think a lot of these are like using a sledgehammer to crack a nut."

Chris Paget, director of R&D for IOActive, says an RFID firewall or similar approach, may be irrelevant: "If the card in your pocket is insecure, there's not a lot you can do to protect the system. No matter what you do with it, it cannot be trusted," he says. Meanwhile, he says, he's interested in learning more about PacketFocus's RF Defender appliance's features.

PacketFocus expects the supply chain sector in automotive, pharmaceuticals, large retail, and the Defense Department to be the biggest draw for its RFID security audit service initially. Perrymon made sure the service syncs with the National Institute of Standards and Technology's (NIST) Guidelines for Securing Radio Frequency Identification Systems announced last month, which is aimed at retailers, manufacturers, hospitals, federal agencies, and companies that use RFID in their supply chains.

"NIST doesn't [address] RFID access control," Perrymon says. "But the beauty of [our service] is you can apply it to anything," including building-access systems.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • IOActive
  • National Institute of Standards and Technology (NIST)
  • PacketFocus Security Solutions
  • Riscure BV
  • RFID Guardian Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 5/28/2020
    Stay-at-Home Orders Coincide With Massive DNS Surge
    Robert Lemos, Contributing Writer,  5/27/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-05-29
    There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
    PUBLISHED: 2020-05-29
    A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
    PUBLISHED: 2020-05-29
    All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
    PUBLISHED: 2020-05-29
    All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
    PUBLISHED: 2020-05-29
    All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.