Security Resources

Archive for the General Site Category

Shutterfly RFID Tags – A Closeup Look

As most know, the adoption of Radio Frequency Identification (RFID) technology by U.S. retailers has been very slow – even among companies that operate exclusively out of manufacturing centers and warehouses, where RFID is easier to deploy (compared to brick and mortar retail). When examining a recent Shutterfly order, it appears that the online provider of photo prints and gifts decided to take the plunge and use disposable tags as part of their order fulfillment process. I took a few pictures (below) for those interested. The chip and antenna were secured on a clear substrate stuck to the shrink-wrap that surrounded my order. It was difficult to spot, and I almost threw it away.

This is the first time I’ve found tags on made to order products like these…


BYOD InfoGraphic

Here is a visual summary of the Bring-Your-Own-Device trend, and the impact on IT and data security. I did not personally review the sources for the statistics – and some of them are probably debatable – but it is interesting nonetheless… You can click the image to read the original post and view a larger version.

Why You Should Care About Mobile Security

Infographic by Veracode Application Security
12-07-2012 Additional Reading on BYOD

Printer Backdoor Found – Lessons for Security Equipment Manufacturers

As reported by Parity News and others, certain Samsung printers (as well as some Dell printers manufactured by Samsung) have been found to contain a hardcoded SNMP “community string” with administrative privileges that remains active even when SNMP is turned off. This could allow a remote attacker to take control of the device, and potentially use it to launch attacks or otherwise compromise the integrity of the printer and network. This type of vulnerability has been seen in copy machines and printers before, but it is a reminder that unused or undocumented capabilities in network devices can be a very weak link.

Consider the multitude of IP cameras, some of which have already been shown to contain similar weaknesses, then add the growing range of network-enabled alarm panels, access control devices, DVR/NVRs, and EAS pedestals. Even large manufacturers who have deep expertise in network security are not immune, as the Samsung story illustrates, so as an industry we will need to partner closely with IT to add layers of protection where they make sense. Some of the precautions insisted upon by experienced CIO/CSOs, like network isolation and port/IP filtering, will need to make their way down into smaller deployments to reduce the chances of a flaw being exploited. Integrators are wise to take these potential threats seriously when designing a system.

Here is the US-CERT Vulnerability Report

Bluetooth Low-Energy Tracking – For Wallets!

When most people think about tracking people or things, RFID and GPS probably come to mind first. That’s not to say there aren’t plenty of other technologies just waiting to be put to good use. The Wallet TrackR is a project that uses Bluetooth Low-Energy to maintain contact between a small device and a smartphone or tablet. From their website:

“The Wallet TrackR fits easily into any wallet – just like a credit card. When combined with the free Wallet TrackR iPhone app, it becomes a powerful new tool to keep you from losing your wallet. When the Wallet TrackR gets separated from your iPhone or iPad, the Wallet TrackR app gently alerts you that you may be leaving your wallet behind. The app also takes a GPS snapshot of where your wallet was at the moment of separation in case you didn’t hear the alert. Tap a button within the app to make your wallet “ring” in case your looking for it around the house or in the dark. The technology works both ways, which means your wallet can beep to alert you that you’re leaving your phone behind. Works with your iPhone 4S, iPhone 5, new iPad, iPad mini and the new iPod Touch.”

Just like low-power mesh RF networks (802.15.4 / Zigbee) have shown promise as a tool for tracking objects and collecting data, Bluetooth Low Energy may enable interesting security and product protection solutions. The range, of course, will be much shorter – but the popularity of Bluetooth in existing handheld platforms makes it an intriguing option to explore.

The Wallet TrackR is still seeking backers for its first production run. I signed up for one, and will update this post when it arrives…

LTE Wireless Jamming – Anchor Post

This post will be updated periodically with information related to 4G / LTE vulnerabilities and strengths.



A post on ExtremeTech analyzed a claim published by MIT Technology Review that LTE networks can be shut down using a “simple jamming trick” utilizing a cheap software-defined radio. Their assessment was that it would be far more difficult than implied by the authors – both in terms of practicality (large transmit power requirements) and scope (attacks would affect close range devices only – not a whole geographic area).

Nevertheless – and unsurprisingly – it appears that LTE devices may be vulnerable to specific methods of jamming, just like other common wireless systems. As always, where wireless is used for security communication, multiple paths are a necessity.

Further reading:  MIT Technology Review Publication  and  Virginia Tech Response to NTIA RFC


60 Years of the Barcode

If you’re interested in learning about how the barcode came to be, its practical uses, and how industries have implemented the technology today, check out the infographic below, courtesy of Wasp Barcode:


60th anniversary of the barcode

War Dialing for the 21st Century

You’re probably familiar with the term “war dialing” – but just in case – it refers to the practice of scanning a large block of phone numbers, attempting to connect to a modem or other device – usually for the purpose of hacking into systems. This can be done at random, in the sense that a hacker is just looking for anything they can find, or it can be used as a targeted attack by scanning numbers likely to be associated with a particular target. In the days when almost all connections were handled with dial-up modems, war dialing was a popular sport – but you might assume that in the modern world, there wouldn’t be much left to find… unfortunately, you would be wrong.

In a recent interview broadcast by the online show Hak5, two modern variations were described in detail. The first is the one most are familiar with: scanning the Internet for vulnerable targets. One of the search sites referenced (by link to Matt Krebs’ article) in my recent post about industrial controller vulnerabilities, called Shodan, was discussed as a popular way for hackers to jump-start their work, since a user can search and sort results to look for specific types of systems. The ability to use scripting to interface with Shodan’s database was also given as an example of how a hacker can automate the process of connecting to large numbers of systems. In a creative example of how this is used, the hacker detailed how he set up a script to take a screen shot of each system’s login/connection screen. This allowed, prior to any type of actual hacking, for thousands of sites to be reviewed and sorted. Larger screen shot file sizes, for example, might be found on more interesting targets because they are serving up logos, splash screens and other graphics.

It wasn’t only the enterprise systems that piqued the hacker’s interest, however, since searching through the Shodan data also yielded a number of smaller, unsecured systems – whose operators probably never considered they would be found online. These included red-light cameras, SCADA devices, and in one case, a power plant monitoring system.

The second interview described a method of conducting modem-based war driving scans, using VOIP connections to contact landlines. Of particular concern was the report that enterprise-class routers are often found connected to telephone lines, without adequate security, to allow remote access when IP networks go down. Speculation was that the administrators simply didn’t think about securing these connections, focusing instead on the far more “obvious” network-based attacks.

Aside from the mention of security cameras being a common search on Shodan, there was little attention given to the large number of security devices connected to both networks and telephone lines. Alarm control panels, in particular, have escaped widespread hacking only because most use non-standard connection methods over PSTN and/or require special sequences to initiate a connection. As these systems move onto the Internet, they are certain to become more popular targets.

Definitely more to come…

Widespread Industrial Controller Vulnerability

Digital Bond, a control system security consulting company, released information about a critical vulnerability in numerous programmable logic controllers (PLCs) and other hardware used to automate everything from motors to complex industrial processes. The affected software is known as the CoDeSys ladder logic system, from 3S Software Gmbh.  CoDeSys is used by 261 manufacturers of control equipment to execute programming and operate connected devices. Essentially, Digital Bond discovered that the software allows a remote connection without user authentication. They created Python scripts that take advantage of this lack of security and provide a method for execution of commands and gaining access to data on the devices.

This vulnerability could have major implications for public utilities, manufacturing plants, and anywhere else this type of valve, motor, and system control is used. Of particular concern are controllers that are exposed on the Internet, but even systems behind a firewall are likely to be targeted, given the nature of the weakness and the simplicity of the exploit.

More information about Digital Bond’s findings and the Python scripts can be found here.

The U.S. ICS-CERT issued an alert as a result of the above, and Matt Krebs wrote an informative blog post that expands on the issue. In it, he notes that the availability of online search tools that scrape the Internet looking for all types of connected devices (including PLCs) make this problem even more serious. It appears, at present, that even the most novice hacker could launch an attack on exposed controllers, possibly causing severe damage or disruption of service.

At least for now, it would be prudent to isolate these devices – especially in cases where they control critical processes/equipment. Of course, it would be nice to think such measures were already in place for such important applications – but we know better.

Security and Theft Videos

RFID and Zigbee Hacking – Security Directors Beware…

In the security world, few technologies have become more entrenched than proximity-based access control. The cards and readers are everywhere – and overall, they provide a level of convenience and security that far exceeds the systems they replaced, such as mechanical locks, barcodes, magnetic stripes, and the like. A typical access card operates in the same manner as an RFID tag – since it is essentially the same thing. A reader emits RF energy, which energizes a coil inside the card powering a small circuit, which in turn, communicates a unique ID number back to the reader. There are many data formats and matched reader/card frequencies involved, but almost all systems operate in this (simplified) manner.

Over the years, there have been many documented examples of proximity access control hacking. From card emulation and brute-force transmissions at the reader, to surreptitious card data capture. So with that in mind, why revisit the subject here? The answer lies in the proliferation and rapidly declining cost of RFID components and other low-energy RF communications, which are poised to transform the way in which we connect and interact with systems and assets of all types.

The growing popularity of RFID tagging (especially in retail), environmental monitoring, intelligent edge devices, and building automation has spurred the development of a wide range of wireless/RF-enabled data collection and triggering. Examples include Zigbee (and similar 802.15.4 products), advanced RFID readers, and Z-Wave. For some developers, security is an afterthought, since the equipment is believed to be so obscure and/or specialized that it is unlikely to be attacked. What we are beginning to see, however, is that the same tactics used by “war-drivers” in the early days of commercial WiFi can expose insecure platforms and potentially open the door (pun intended) to serious security problems.

The good news is that security can be engineered into most of these platforms – in fact, it is often a core component – but it must be “switched on” and used properly. Follow the links below to read about some of the vulnerabilities and hacks that exist today. In practice, being aware of the potential for hacking – especially with immature products, proximity cards, etc… will help you make good design decisions. For example, once you understand how an access badge can be cloned – you probably won’t allow that badge to also disarm your alarm system, even if the vendor promotes it as a convenience feature. Likewise, if you are testing a new Zigbee-based data collection solution in your retail store, have a discussion with your vendor about how security has been implemented – and even if you like the answer, keep that network isolated until it is well-proven.

More on this subject:

Wardriving for Zigbee: Blog article describing a method for finding and mapping Zigbee networks

Kisbee: Open-source hardware project to capture Zigbee wireless communication

Bootable RFID Live Hacking System: A platform for hacking MIFARE access control cards

Proximity Card Cloning: HID ProxCard-II, ISOProx, and others

iClass Card Details and Cloning

RFID Tutorial

Long Range Cloning: 125KHz Proximity Cards

Page 2 of 3123