• Unauthorized access to sensitive physical assets (someone scanning for information tagged as sensitive in and around office space — even the garbage — inside the building);
• Unauthorized access to sensitive physical areas (someone cloning proximity cards and gaining access into secured locations such as data centers);
• A facilitator of social engineering (someone using cloned information that appears legitimate to a computerized access control system but obviously fraudulent to an experienced eye had a person been involved in the process);
• Denial of service attacks that lead to business continuity issues (someone attacking the RFID network infrastructure or zapping RFID tags altogether using homemade tools); and
• Malware exploits that lead to sensitive information exposure (someone uses a malicious RFID chip to cause software to crash exposing sensitive information on the supporting RFID infrastructure — see www.rfidvirus.org).
Look at what really matters here:
1. Are any of these RFID attacks possible in your environment and in the context of your systems?
2. Are there known threats that can and will exploit any weaknesses?
3. What can you do to protect the business assets under attack?
You may find out that RFID isn’t really a concern for your business yet and may seem to be more of a threat to your personal life. Either way, it pays to educate yourself in this area and to be prepared with a plan of action.
The good news is there are a lot of smart people working on ways for us to get our arms around RFID security. From rolling codes, to challenge/response authentication, to shielding to localized RFID jamming — the solutions are on the way. It is just a matter of whether or not they are too late to the punch and if anyone will bother implementing them.
In the not-so-distant future, we are not only going to have networks of information but also networks of “things” all throughout our business environments. We now have to look at protecting our business assets below the traditional information security level that we are accustomed to. I’m not saying that everything containing an RFID tag is going to be hacked or abused, but I do believe that the realm of information security control is going to grow by leaps and bounds in the coming years.
It would be wise of us to broaden our time perspective and start thinking about how we are going to keep everything in check. This stuff is not going away.
Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent information security assessments. He has authored/co-authored seven books on information security including “Hacking for Dummies,” “Hacking Wireless Networks for Dummies,” and “Securing the Mobile Enterprise and Laptop Encryption for Dummies” (Wiley). He is also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. He can be reached at firstname.lastname@example.org.