Will hackers target the doors of corporate lobbies, or one-swipe payment cards used at gas stations and supermarkets? How about pets?
Those questions — all tackled in research or proof-of-concept (PoC) exercises — are likely on the minds of security pros planning to deploy radio frequency identification (RFID) or Bluetooth technology across their enterprise. Even the RFID tags used to identify pets were used as an example, by researchers at Vrije Universiteit Amsterdam, to demonstrate how a hacker could “infect”these devices with a virus.
However, these threats, for now, have extended only as far as research labs or a hackers' basement wall. That lack of true “wild” threats taking advantage of these attack vectors may be a reflection of the technology's novelty, at least in comparison to Wi-Fi and other mobile communication methods widely used in corporate environments. But the existence of PoC exploits — demonstrated at trade shows — speak to the market trends that show RFID and Bluetooth deployment increasing in coming years, says Craig Schmugar, threat research manager at McAfee Avert Labs.
“There's definitely been a number of PoCs highlighting the implementation of these technologies — and some of those were rushed to market — and it speaks to the ambitions of getting RFID widely deployed and utilized and its ability to decrease overhead. So security, which would've taken more time to get reviewed and reiterated, would've delayed getting that to market and increased the cost,” says Schmugar.
Threats and privacy concerns
IT pros also are aware that RFID tags and their readers may become a target for hackers zeroing in on retail and manufacturing verticals, where the technology has had the most significant impact because of decreased costs in tracking inventory. But the technology has not been without its share of controversy, especially from individuals worried that the tags could disclose personal information, and from corporations concerned that a misused reader can expose company information, according to Forrester analyst Jennifer Albornoz Mulligan.
“There have been a lot of articles on privacy issues with RFID. People have taken the angle that it's a personal privacy issue, and it's also an enterprise privacy issue,” she says. “Someone could use the tags to snoop on a company and get information about the processes, a little more than they could in some other ways.”
RFID security concerns often depend on how much contact consumers, and their personal and financial information, have with the deployed technology. Corporations are at little risk of a headline-grabbing data breach if RFID tags are being used primarily to track retail goods, but CSOs have more reason to be concerned when the technology is used to store credit or debit card details, says Ari Juels, chief scientist and director of RSA Laboratories.
“In the supply chain, because the tags are not reaching the consumers, there are physical security measures in place that are usually adequate,” he says. “RFID tags are also used in credit cards, and some people have expressed privacy and security concerns in that domain.”
Keeping threats out of range
Meanwhile, companies from various industry verticals and sizes from Wall Street to Wichita are deploying Bluetooth headsets. Most security concerns here are caused by a headset's ability to “pair,” or make contact and share communications with, the mobile device itself. The problem for attackers: Pairing handshakes take place within a few feet of the mobile device, meaning that until the range is increased, hackers would have to be within shouting distance of a victim for a successful attack, says Juels.
“I do think the range will grow. Bluetooth is only one of the host of wireless technologies. There will be many chattering devices for users of headsets and other wireless technologies,” he says.
Encryption is present when a Bluetooth device successfully connects to a mobile device, but some experts doubt whether that safeguard will be sufficient as ranges expand. In urban environments and office buildings, that loophole could prove to be enough to stage successful attacks, says Chris Novak, principal consultant at Cybertrust.
“There are some concerns as to whether the encryption is strong enough in pairing when you set up a conversation with another device — that's the weak point in Bluetooth. As the distances and the ranges expand, there's much more of a chance that someone could hear the pairing conversation you're having,” he says.
How would an attacker try to cull personal information from a mobile device while using a Bluetooth connection? Some experts say that they could use a technique that's proven effective on PCs: phishing. But for such an attack to be successful, a hacker would have to send a convincing short messaging service (SMS) note to a victim, says Joe Stewart, senior security researcher at SecureWorks.
Luckily for security professionals looking to deploy these mobile technologies, Bluetooth and RFID follow in the footsteps of another mobile technology: Wi-Fi. The complaints of IT pros that Wi-Fi's originators did not take security concerns seriously enough are a lesson well learned by researchers working on the next generations of Bluetooth and RFID devices. Developers and service providers are now more careful to build security into the service from the get-go. These additional precautions should allow security professionals to concentrate on other issues, says Stewart.