PacketFocus next week will launch one of the industry's first commercial RFID security auditing services -- and it's building an RFID security appliance as well, Dark Reading has learned.
RFID security has landed front and center during the past few months, with researchers demonstrating the ease of passport-hacking, card-cloning, and SQL injection attacks on RFID systems. Even so, many organizations still run less-secure, early-generation RFID systems, and do little to secure them. (See RFID Under Attack Again, Black Hat Cancels RFID Demo, HID, IOActive Butt Heads Again, and New RFID Attack Opens the Door.)
PacketFocus's new RFID security auditing service will identify policy and procedures for RFID, as well as check out reader and tag security, and how they are configured. "We'll look at passwords, RFID middleware, and how readers communicate with the middleware," says Joshua Perrymon, PacketFocus's CTO. "The service highlights potential vulnerabilities. You need to know what kind of risk you have in your network once you've brought RFID in."
Perrymon expects input validation -- filtering out irrelevant characters -- and how RFID tags and readers handle passwords to be the main weak spots the audits will detect, as well as any policy and procedures an organization has or has not configured, he says. PacketFocus will offer the RFID security auditing service under a under a new division called RFID Audit Group, he says.
Meanwhile, it's also developing an RFID security appliance that detects and reports attacks, called RF Defender, he says. The appliance, which will be priced between $40,000 and $50,000, will sit with the RFID reader, and can be used in both access-control and supply chain-type RFID environments, he says.
"The appliance has multiple sensors and integrates into the RFID environment. We not only look at the RFID reads, we correlate with the middleware and other layers to provide a holistic view of the RFID system. This allows us to correlate events and detect attacks in-depth," he says. The product will detect denial of service, and password-type attacks, for instance.
Perrymon, who says RF Defender won't be officially announced for a couple of months, acknowledges that the RFID security market is still young. "I know it's not huge right now, but it will be very huge in a couple of years."
The ultimate goal of the new RFID security auditing service, he says, is to flip-flop the conventional wisdom of going operational before securing the system: "We're going to do security before going operational."
RFID security expert Adam Laurie says RFID security auditing makes sense. "There's a need for it. At the moment it seems the industry has put blind faith in" RFID, he says. "I think this would be for people to be made aware of what actually are the potential security issues... And the sooner they are addressed, the better."
PacketFocus joins a relatively deserted RFID security market with few suppliers. Netherlands-based Riscure does RFID security testing, for instance, and there's a research project in Europe called RFID Guardian, an RFID firewall.
But Laurie, who at Black Hat Europe showed how it was possible to reprogram RFID tags and duplicate a legitimate user's building cardkey using code based on his RFIDIOt tools, says RFID devices such as a firewall may be overkill. "I think a lot of these are like using a sledgehammer to crack a nut."
Chris Paget, director of R&D for IOActive, says an RFID firewall or similar approach, may be irrelevant: "If the card in your pocket is insecure, there's not a lot you can do to protect the system. No matter what you do with it, it cannot be trusted," he says. Meanwhile, he says, he's interested in learning more about PacketFocus's RF Defender appliance's features.
PacketFocus expects the supply chain sector in automotive, pharmaceuticals, large retail, and the Defense Department to be the biggest draw for its RFID security audit service initially. Perrymon made sure the service syncs with the National Institute of Standards and Technology's (NIST) Guidelines for Securing Radio Frequency Identification Systems announced last month, which is aimed at retailers, manufacturers, hospitals, federal agencies, and companies that use RFID in their supply chains.
"NIST doesn't [address] RFID access control," Perrymon says. "But the beauty of [our service] is you can apply it to anything," including building-access systems.
Kelly Jackson Higgins, Senior Editor, Dark Reading