Packet Focus Security Research

Packet Focus Security Research

A lot has been going on lately.... Work has been very busy as well as personal life ;)
Learning to Surf in Australia on my time off...

Eweek contacted us about RFID security at the Olympics and the World Cup. Nothing big here... Each ticket has an embedded RFID chip with a unique ID-
When people walk into the stadium the ticket is scanned and the ID is accosiated with the personell info provided when buying the tickets initially.
I don'thave problems with RFID when it's used effectivily ( US DoD for example-- Inventory Management )

But when using RFID for identification there are certain implied risks- This shouldn't be a problem for ticket ID's as long as the ID is unique and doesn't prvide an attacker with the ability to identify ticket holder information. The risk I see with this is input validation on the RFID scanners as the ticket holders walkthrough. In theory a SQL injection could be burned to an RFID chip and parsed by the backend database upon scanning. This would be a one=shot attempt and would be hard to gain outside / backdoor access with one shot.

However, RFID systems such as the one mentioned above should ensure proper input validation is performed on RFID input and integrate this into the SDLC.

The REAL risk;

The risk I see with RFID is mainly when used as physical access cards. It's trivial to sit outside a large downtown corp and sniff rfid ID's. This can then be burned to a generic ID card and used to access the building.

This is mostly theory but should easily be reproduced with commercial tools.

Josh Perrymon
CEO
PacketFocus
www.packetfocus.com
josh.perrymon@packetfocus.com