Pro Hackers Take On RFID Down Under

Pure Hacking is marketing its RFID auditing service to all end users of RFID, such as those in the retail supply chain, as well as to users such as casinos or chemical companies, whose use of RFID might be linked to highly sensitive or proprietary information.

Pure Hacking has a large market opportunity in Australia, where Perrymon says roughly 1,300 companies are piloting RFID technology today. But he and McAdam say they are interested in running the RFID system audits around the world.

Joshua Perrymon

Thus far, Pure Hacking has completed one audit of a high frequency (13.56 MHz) RFID-based access-control system. After the consultation, Pure Hacking advised the company on a number of matters, such as how to store access cards and how to restrict access to them. Pure Hacking was also able to clone one of the cards in deployment, then use the clone to enter the building. Its recommendations to the company included upgrading its system to support data encryption so cards could no longer be cloned.

McAdam says that going forward, Pure Hacking wants to focus RFID audits on EPC Gen 2 tags and readers. "We're seeing several risks with Gen 2 systems," says McAdam, "in the way the tag handles access and kill passwords. The system is subject to manipulation. We are currently analyzing the GEN2 protocol using custom in-house scripts to identify risks and possible attack scenarios."

Pure Hacking plans to submit the Gen 2 security risks it identifies to EPCglobal, in the hope that the organization will use the information in future development of RFID standards.