RFID - Old Dog. New Tricks? Old Exploits!
Ok, so everyone has heard about RFID (pronounced Are Eff Eye Dee by some, "arf-id" by others) by now. We've all used it, guaranteed to five 9's of percentage likelihood. (Don't believe me? Ever bought anything? At Target, Wal-Mart, or almost any other retailer?) Many agencies and corporations use it for their campus access, at least for building perimeters in the form of an ID Badge that let's you in a door when you swipe the badge over a reader.
It turns out that Joshua Perrymon of PacketFocus Security Solutions has confirmed that many RFID vendors are vulnerable to...get this...SQL Injection from a tag that has been encoded with the specifics of the attack. From the Dark Reading article (the only source of info I can find at the moment), neither the badge readers nor the back end systems do any input validation, so a specially crafted data stream from the card can cause the device to receive a valid reply.
Ok, I have a big huge problem with this. SQL Injection? Come on folks. We've been aware of and responding to this threat for several years now. Gary McGraw and John Viega talked about these things six years ago in Building Secure Software. Web scanning companies are building entire products on just this sort of exploit. We preach secure application development all the time. How in the world can our physical security applications be vulnerable to this?
Thanks to Josh for the work into releasing the initial info, and we are all looking forward to further disclosure on the problem, the fix, and how to go about finding and closing similar exploits.
