The recent flap over RFID vulnerability in security cards manufactured by HID led me to call Gartner and to have a talk with its top security guy John Pescatore, Vice President and Distinguished Analyst. I was suddenly wondering how insecure RFID really is. It seems Chris Paget, a researcher at IOActive, was going to demonstrate at the annual Black Hat security conference how a security card could be easily hack The recent flap over RFID vulnerability in security cards manufactured by HID led me to call Gartner and to have a talk with its top security guy John Pescatore, Vice President and Distinguished Analyst. I was suddenly wondering how insecure RFID really is. It seems Chris Paget, a researcher at IOActive, was going to demonstrate at the annual Black Hat security conference how a security card could be easily hacked and cloned, not just cards from HID but from other security card makers as well. It was reported that in the talk Paget not only planned to explain to attendees how vulnerable these cards are but he was also going to demonstrate how to do it. I suggest you read the full story but the upshot was HID forced IOActive and Black Hat to cancel the demo.Pescatore says RFID security cards can be done securely. “They have the design features to do that,” Pescatore told me. The real problem is that the makers sometimes don’t take the extra step like encrypting the contents. In fact, the real vulnerabilities in RFID is not in the cards, warns Pescatore, but in the middleware and in the RFID reader software. It is like in the early days of the Web when Web server designers assumed their product was safe because it was only meant to simply interrogate a browser and the browser would then respond. What they didn’t realize was that a hacker might pretend to be a browser. The same is true now of RFID reader software. Makers think all the reader has to do is talk to the card and the card responds and then the reader asks for the card’s number and the card responds again. “But what if you are a Palm Pilot or a laptop pretending to be an RFID card?” asks Pescatore. Or what if instead of responding with a 128 byte ID number the hacker sends a 4,000 kbyte digit. Will there be overflow? Or Perhaps the last 3,872 bytes are an executable program.RFID reader software and middleware is built on the assumption that it is talking to a dumb tag and so the bad guys pretend to be the dumb tag and from buffer overflow it gets right into the executable space. While publicizing vulnerabilities is important, says Pescatore, there should be a protocol about how long you wait after notifying a vendor of the problem before you go public. On the other hand Pescatore, speaking for Gartner, says while talking about a vulnerability and its possible impact is not a problem, there is never an excuse to demonstrate how to exploit the vulnerability. I agree. Just like you should not be able to put bomb making schematics on the Web you should not be able to demonstrate how to commit cyber crime either. What do you think? Let me know. Technology Industry