Tag Archives: insecure

Wireless Insecurity … a near constant state: RFID, Bluetooth, 802.11

The securing of information assets is the core to ensuring operational integrity for every business, and is supported by security and compliance safeguards.  The near constant stream of innovation over the past 10 years has provided near ubiquitous wire(less) connectivity to an abundant number of devices.  Matched equally to this innovation and connectivity is the transportability of data.  Of course the data must be transported and portable; however, it must be done in a manner that supports the organization’s entire strategic objectives.
The reality of wireless technology has reached a crescendo with regards to WIFI / 802.11 within the payment card industry where encryption and two factor authentication was required to leverage these technologies.  Due to a number of data breaches (presumably), specific wireless technology is being banned from the payment card network.  Guidance on the wireless guidelines may be found here.
These lessons – that wireless technology can be eavesdropped; that the data can float literally anywhere (for confirmation turn on your wireless network card on an airplane and fire up a DHCP gateway application); that the only way to secure it is through strong crypto and TWO factor authentication.  All of these seem clear, but the last one should be elaborated on to understand that risks of Bluetooth and RFID.
2 Factor authentication beyond ensuring the identity of the individual provides a far more important safeguard – that the user intended to make a connection and goes through the handshake process.  This does not exist in these other technologies, and creates a great deal of risk to the users of these systems.
To provide specific context to why Bluetooth and RFID are risky business without proper safeguards consider the following:

  • Bruce Scheiener’s post on how passport RFID is dangerous and susceptible to attacks.  Here is a Wired article with more details.
  • DefCon radio scanners “read” and “recorded” the information off of security badges from the attendees.  This is the most security conscious / paranoid group that you can assemble, and this scanner caught unsecured badges.
  • When attending it is near unanimous that all wireless radios should be disabled
  • The data on these RFID type devices contains things as simple as identifiers to full names and departments.

(iphone focus of post, but applicable to all such capable devices) prior to getting on a plane TO Blackhat / DefCon.  The reason is simple: it is near certain that someone is running a scanner.

In the end these technologies do provide essential functions, but should cautiously deployed where security can be ensured and is tested properly.  Care should be given to the information applied to these transmitting devices.
NIST has a nice document here (800-98)

Other recommendations?

James DeLuccia