Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

08:40 AM
Connect Directly

RFID Security Service, Tools on Tap

New audit service and appliance to target RFID customers looking to lock down their systems

PacketFocus next week will launch one of the industry's first commercial RFID security auditing services -- and it's building an RFID security appliance as well, Dark Reading has learned.

RFID security has landed front and center during the past few months, with researchers demonstrating the ease of passport-hacking, card-cloning, and SQL injection attacks on RFID systems. Even so, many organizations still run less-secure, early-generation RFID systems, and do little to secure them. (See RFID Under Attack Again, Black Hat Cancels RFID Demo, HID, IOActive Butt Heads Again, and New RFID Attack Opens the Door.)

PacketFocus's new RFID security auditing service will identify policy and procedures for RFID, as well as check out reader and tag security, and how they are configured. "We'll look at passwords, RFID middleware, and how readers communicate with the middleware," says Joshua Perrymon, PacketFocus's CTO. "The service highlights potential vulnerabilities. You need to know what kind of risk you have in your network once you've brought RFID in."

Perrymon expects input validation -- filtering out irrelevant characters -- and how RFID tags and readers handle passwords to be the main weak spots the audits will detect, as well as any policy and procedures an organization has or has not configured, he says. PacketFocus will offer the RFID security auditing service under a under a new division called RFID Audit Group, he says.

Meanwhile, it's also developing an RFID security appliance that detects and reports attacks, called RF Defender, he says. The appliance, which will be priced between $40,000 and $50,000, will sit with the RFID reader, and can be used in both access-control and supply chain-type RFID environments, he says.

"The appliance has multiple sensors and integrates into the RFID environment. We not only look at the RFID reads, we correlate with the middleware and other layers to provide a holistic view of the RFID system. This allows us to correlate events and detect attacks in-depth," he says. The product will detect denial of service, and password-type attacks, for instance.

Perrymon, who says RF Defender won't be officially announced for a couple of months, acknowledges that the RFID security market is still young. "I know it's not huge right now, but it will be very huge in a couple of years."

The ultimate goal of the new RFID security auditing service, he says, is to flip-flop the conventional wisdom of going operational before securing the system: "We're going to do security before going operational."

RFID security expert Adam Laurie says RFID security auditing makes sense. "There's a need for it. At the moment it seems the industry has put blind faith in" RFID, he says. "I think this would be for people to be made aware of what actually are the potential security issues... And the sooner they are addressed, the better."

PacketFocus joins a relatively deserted RFID security market with few suppliers. Netherlands-based Riscure does RFID security testing, for instance, and there's a research project in Europe called RFID Guardian, an RFID firewall.

But Laurie, who at Black Hat Europe showed how it was possible to reprogram RFID tags and duplicate a legitimate user's building cardkey using code based on his RFIDIOt tools, says RFID devices such as a firewall may be overkill. "I think a lot of these are like using a sledgehammer to crack a nut."

Chris Paget, director of R&D for IOActive, says an RFID firewall or similar approach, may be irrelevant: "If the card in your pocket is insecure, there's not a lot you can do to protect the system. No matter what you do with it, it cannot be trusted," he says. Meanwhile, he says, he's interested in learning more about PacketFocus's RF Defender appliance's features.

PacketFocus expects the supply chain sector in automotive, pharmaceuticals, large retail, and the Defense Department to be the biggest draw for its RFID security audit service initially. Perrymon made sure the service syncs with the National Institute of Standards and Technology's (NIST) Guidelines for Securing Radio Frequency Identification Systems announced last month, which is aimed at retailers, manufacturers, hospitals, federal agencies, and companies that use RFID in their supply chains.

"NIST doesn't [address] RFID access control," Perrymon says. "But the beauty of [our service] is you can apply it to anything," including building-access systems.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • IOActive
  • National Institute of Standards and Technology (NIST)
  • PacketFocus Security Solutions
  • Riscure BV
  • RFID Guardian Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Threaded  |  Newest First  |  Oldest First
    Why Cyber-Risk Is a C-Suite Issue
    Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
    Black Hat Q&A: Hacking a '90s Sports Car
    Black Hat Staff, ,  11/7/2019
    The Cold Truth about Cyber Insurance
    Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-11-14
    Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious at...
    PUBLISHED: 2019-11-14
    Unprotected Transport of Credentials in ePO extension in McAfee Data Loss Prevention 11.x prior to 11.4.0 allows remote attackers with access to the network to collect login details to the LDAP server via the ePO extension not using a secure connection when testing LDAP connectivity.
    PUBLISHED: 2019-11-14
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads.
    PUBLISHED: 2019-11-14
    Path Traversal: '/absolute/pathname/here' vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to gain unintended access to files on the system via carefully constructed HTTP requests.
    PUBLISHED: 2019-11-14
    Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system.