August 29, 2006
Hacking Your Own RFID System To Reduce Risks
Hackers are usually labelled a disruptive lot, but sometimes they are exactly what you need to test a system. Enter the guys from Pure Hacking, professionals who perform what is called ethical hacking - hacking by permission - to test flaws and find potential security problems. While they cover a number of industries, they are focusing expertise in RFID systems, which have been the subject of much media coverage in relation to security issues. [via RFID Journal]
The Pure Hacking team actually uses a structured auditing process for all their tests, RFID-related or otherwise, and even offer an accredited anti-hacking course (non-RFID specific). I'm making an educated guess and saying that a lot of the techniques used to test software is very applicable to RFID systems. An RFID system may be the sum of its parts, but most especially it's the middleware that drives everything. Thus the many system vulnerabilities likely lie in the latter, in terms of allowing access to data. (I'm focusing on in-house issues, not what happens to a tagged item outside of your company. That's another aspect I'll try to discuss later.)
So if you are considering implementing RFID in your organization, it's important that you understand the data access process, even in broad terms. How do you want tag information to be accessed and updated? Do you need to implement layers of authorization for different roles in the company? Do you want a different layer of data available to the companies you supply parts and goods to? Human workflow is just as important as machine workflow. How do you intend for humans and machines to interact in terms of your RFID system? These are the kinds of questions consultants will ask you, before they even consider RFID solutions for implementation.
I know I'm being a bit vague here, but your company needs will vary by industry. I'll try to get into specific case studies in the future. For now, you can write out your intended workflow details, sketch out rough diagrams, and most certainly make a list of any questions that occur. If you can think of your own "penetration testing" test suite items, jot them down as well. There's a lot to consider here, but assessing your workflow ahead of time, before bringing in any consultants, helps you to be prepared with questions to ask. Knowing potential vulnerabilities ahead of time will help ease you through future hiccups.
--
Did you enjoy this post?
« Future Opportunities: RFID Law | Main | Item-Level RFID Tag Use To Undergo Huge Growth »
