Black Hat event highlights RFID and VoIP security threats

LAS VEGAS - The Black Hat conference - an annual event where security professionals get in touch with their inner hacker and vice versa - has for nine years been a stage for detailing new security exploits and sharing visions of the future.

News last week was dominated by the saga of security researcher Michael Lynn , who defied his employer Internet Security Systems by delivering a forbidden presentation on hacking unpatched Cisco routers - and was subsequently sued by ISS and Cisco. But Black Hat had much more, including:

• Phil Zimmerman, the fabled inventor of Pretty Good Privacy (PGP) encryption for e-mail, unveiled plans to bring encryption to VoIP phones.
  
  

• The Jericho Forum , a group of multinational corporations that want to better secure e-commerce by pushing security controls further into networks and away from the perimeter, showcased technologies it said represent that vision.
  
  

• Throughout the conference, security experts showed how easy it could be to disrupt wireless networks or pillage data repositories.
  
  

Among the darker demonstrations, Kevin Mahaffey, director of development at Flexilis, operated a radio-based voltage-controller oscillator that acted as a disrupter that could shoot a frequency beam at an RFID reader. As it emitted a shrill whine, the RFID disrupter jammed the reader or eliminated a comprehensive reading of RFID tags, which in actual use could play havoc with supply-chain operations using the tags.

"This can take away the ability to read tags reliably," Mahaffey said. He added that there also are ways to sniff RFID tags, clone the information and commit fraud by wrongly tagging goods. Use of public-key encryption would likely be the best way to counter or identify these types of threats, but this is still rare in the RFID world.

Experts on the panel suggested that although the threat appears minor at this point, it is a cause for concern.

Paul Simmonds, chief information security officer at chemical and paints manufacturer ICI in the U.K., said corporations in retailing and the grocery industry use RFID tags to speed delivery of goods so they don't have to unpack them to identify them.

But as a maker of a premium line of house paints, ICI would be concerned if its goods were fraudulently marked down in a two-for-one sale through some form of RFID spoofing. "People can get away with theft with this," Simmonds said.

As the session turned to the subject of government use of RFID tags in passports - which the U.S. has said it intends to implement - the panelists expressed reservations that sufficient security controls might not be in place to prevent identity theft.