Tuesday, June 26, 2007

RFID sniffing could be used by spies and criminals to commit all kinds of dastardly deeds!

Dark Reading wrote about a pretty scary flaw in RFID technology this week. Apparently, it's now possible for corporate spies and even organized retail criminal types to "sniff" RFID chips in a cargo container and use the information to commit a dastardly deed.

Apparently, truckers will be particularly vulnerable to being "sniffed" (compromised). Of course, if you use a little imagination, sniffing RFID might put more than "truckers" at risk, also.

From the story in Dark Reading:

That means your competitor could use this information for intelligence purposes. "He could get an idea of what you are shipping and how much, and how often," Perrymon says, adding that an attacker could also write to those tags, either disabling or changing them if you don't apply the proper authorization and passwords to your EPC system. That's PacketFocus's next step in its research.

And sniffing the truck's payload could also provide criminals with intelligence they wouldn’t otherwise be able to get very easily, thus helping them target their holdups or other heists, he says. "Unless they had a lot of inside information, they don't have enough information to rob that truck. Now they can scan it if it's not secure -- they don't want to rob that toilet paper truck, but if it's got plasma TVs with surround sound, [that's their] target."

RFID has been pushed by retailers, such as Walmart, and the military (not mentioned in the Dark Reading article). The Department of Defense now uses RFID to monitor it's supply management system.

Stealing shipments of plasma TVs is one thing, but on a personal level, I'm a little more worried about how some of this technology might be used by those with more sinister intentions than stealing high-tech merchandise.

So far as the passwords mentioned in the article -- easily compromised by the Packet Focus folks, they can be made more secure -- but passwords are hacked by software and more social methods, fairly frequently.

All it takes is one dishonest person with access to one, or even a honest person, who is tricked into giving up one to compromise an entire system.

Hacking for Dummies has an interesting write-up on how passwords are hacked, here.

Besides that, the bad guys are always coming up with new exploits to defeat security fixes.

Interestingly enough, according to Wikipedia, RFID's predecessor was invented by a Soviet inventor as a tool to commit espionage. It also was used the World War II era for a lot of military applications.

Perhaps, in this case, history (or the original intent) should give us a little perspective on RFID?

In the recent past, government experts have seen China show an interest in stealing (hacking) logistics (supply) information. Here is a post, I wrote about that:

How Dangerous is China

Dark Reading's interesting article, here.

I've written a few posts about RFID and it's potential abuses, which can be seen, here.

Dark Reading got it's information for the article from PacketFocus Security Solutions, which is a company that performs what is known as "ethical hacking" for the public at large. Ethical hacking is where good guys test vulnerabilities in technology to stay ahead of the bad guys.

There might very well be some useful applications for RFID, but we need to slow down, and consider the safety implications before continuing to have this technology take over our daily lives.

It's not worth the money a very few people are making off it!

1 comment:

daniel said...

Do we really need the use of RFID's?
Seems there are easily compromised.
FTGF!