Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sniffing RFID ID's ( Physical Security )

From: "Gary E. Miller" <gem () rellim com>
Date: Tue, 27 Jun 2006 17:56:07 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo Josh!

On Wed, 28 Jun 2006, Josh L. Perrymon wrote:


From a pen-testing perspective: What do you guys think that large companies
would say about this risk? Is this valid enough to cause change in an
organization. Or is this like most everything else we see.. reactive only.
Will it take a major breaking or loss before A fortune 500 company would
pull out their insecure RFID system?


Just like any other software vulnerability.

First, no one will believe it is possible.  So you demonstrate that you
can hack the system.

Two, the vendor and management will claim that either you used inside
information not available to an attacker, or that criminals are too
dumb to duplicate what you did.  So you put your concerns in a memo as
an "I Told You So".

Three, while everyone is in denial there will be mysterious and
unexplained disappeances.  Everyone if baffled.

Four, some high profile site will publicly succumb to this attack.
Everyone involved will proclaim they had no idea such a thing was
possible, your memo has been shredded.

RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
        gem () rellim com  Tel:+1(541)382-8588

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEodOp8KZibdeR3qURArsqAJ9rxNstl9Kos2+uMiADFjSjuiTIegCfcWGo
1piwhFVM1+/1KVInC9ETl0Y=
=rCdl
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: