Pharmaceutical NEWS
Text size:
T
T
T
Startup Designs Firewall to Ensure RFID Network Security
NeoCatena's security appliance is designed to protect an RFID network from counterfeit RFID tags, and from attempts to use malware-encoded tags to introduce a virus to back-end systems—or to steal sensitive data.
By Mary Catherine O'Connor
May 8, 2008—NeoCatena, a Sunnyvale, Calif., startup company, has emerged to address an issue its founders believe is of growing importance to end users of RFID technology: system security. The firm has created a security appliance designed to act as a firewall between RFID interrogators and the edge server of middleware an end user employs to collect and transmit RFID tag data upstream to its enterprise software.
The appliance, known as RF-Wall, runs software developed by NeoCatena to protect an RFID network from counterfeit RFID tags, and from attempts to use tags encoded with malware to introduce a virus to back-end systems, or to execute some type of breach to the security of sensitive data, according to the company's cofounders, Boris Wolf and Lukas Grunwald.
While there have been no publicized incidents involving the use of RFID-based network attacks or counterfeit RFID tags, Wolf and Grunwald believe the threats to be real, and say experiments performed by Grunwald dating back to 2004 have proven such things possible. At a data security conference that year, Grunwald introduced software he developed, dubbed RFDump, which reads RFID tags and shows how user data—a read-write field of data designed to carry information beyond the tag ID, as well as other read-only data encoded by the tag's manufacturer—can be modified using either a hex or ASCII editor.
Grunwald used RFDump to change data on the same tags utilized at Metro Future Store in Germany. In the future, he asserts, nefarious parties could employ interrogators to alter product data, including price, on RFID-tagged consumer goods. In addition, Grunwald has cloned an RFID proprietary access control card and an electronic passport.
Some in the RFID industry—including RFID Journal's editor and founder, Mark Roberti—have deemed Grunwald's assertions that RFID tags represent serious security risks to be far-fetched (see Industry Group Says E-Passport Clone Poses Little Risk, An RFID Hack Job and McAfee Report Hypes RFID Threat). Still, there are some end users willing to take a closer look at what NeoCatena is offering. Wolf says his company is currently involved in beta-testing the RF-Wall product for two Fortune 500 companies, which he declines to name. One is a pharmaceutical company based outside the United States, he says, while the other, based in Asia, is in the supply chain industry.
The types of RFID tags that could pose dangers to an enterprise's back-end systems, Wolf and Grunwald claim, are those with user memory—data blocks intended to carry information supplemental to the tag ID—because that is where a nefarious party could execute known data attacks such as an SQL injection, designed to exploit an SQL database, or an attack using XML code.
Passive high-frequency tags, which have been widely manufactured and employed across numerous industries for years, tend to have larger amounts of user memory than EPC UHF tags do. However, there is a trend among makers of UHF tags to add an increasing amount of user memory (see NXP Boosts EPC Gen 2 Tag Memory, Performance and Alien Technology Announces New EPC Gen 2 Chip). Tag makers are targeting these tags to such applications as drug-tracking, in which pharmaceutical supply chain partners may add chain-of-custody data to the user memory on tags attached to drug packaging.
more Pharmaceutical articles
May 8, 2008—NeoCatena, a Sunnyvale, Calif., startup company, has emerged to address an issue its founders believe is of growing importance to end users of RFID technology: system security. The firm has created a security appliance designed to act as a firewall between RFID interrogators and the edge server of middleware an end user employs to collect and transmit RFID tag data upstream to its enterprise software.
The appliance, known as RF-Wall, runs software developed by NeoCatena to protect an RFID network from counterfeit RFID tags, and from attempts to use tags encoded with malware to introduce a virus to back-end systems, or to execute some type of breach to the security of sensitive data, according to the company's cofounders, Boris Wolf and Lukas Grunwald.
While there have been no publicized incidents involving the use of RFID-based network attacks or counterfeit RFID tags, Wolf and Grunwald believe the threats to be real, and say experiments performed by Grunwald dating back to 2004 have proven such things possible. At a data security conference that year, Grunwald introduced software he developed, dubbed RFDump, which reads RFID tags and shows how user data—a read-write field of data designed to carry information beyond the tag ID, as well as other read-only data encoded by the tag's manufacturer—can be modified using either a hex or ASCII editor.
Grunwald used RFDump to change data on the same tags utilized at Metro Future Store in Germany. In the future, he asserts, nefarious parties could employ interrogators to alter product data, including price, on RFID-tagged consumer goods. In addition, Grunwald has cloned an RFID proprietary access control card and an electronic passport.
Some in the RFID industry—including RFID Journal's editor and founder, Mark Roberti—have deemed Grunwald's assertions that RFID tags represent serious security risks to be far-fetched (see Industry Group Says E-Passport Clone Poses Little Risk, An RFID Hack Job and McAfee Report Hypes RFID Threat). Still, there are some end users willing to take a closer look at what NeoCatena is offering. Wolf says his company is currently involved in beta-testing the RF-Wall product for two Fortune 500 companies, which he declines to name. One is a pharmaceutical company based outside the United States, he says, while the other, based in Asia, is in the supply chain industry.
The types of RFID tags that could pose dangers to an enterprise's back-end systems, Wolf and Grunwald claim, are those with user memory—data blocks intended to carry information supplemental to the tag ID—because that is where a nefarious party could execute known data attacks such as an SQL injection, designed to exploit an SQL database, or an attack using XML code.
Passive high-frequency tags, which have been widely manufactured and employed across numerous industries for years, tend to have larger amounts of user memory than EPC UHF tags do. However, there is a trend among makers of UHF tags to add an increasing amount of user memory (see NXP Boosts EPC Gen 2 Tag Memory, Performance and Alien Technology Announces New EPC Gen 2 Chip). Tag makers are targeting these tags to such applications as drug-tracking, in which pharmaceutical supply chain partners may add chain-of-custody data to the user memory on tags attached to drug packaging.
