Black Hat event highlights RFID and VoIP security threats

Conference attendees also get a lesson in de-perimeterization.

LAS VEGAS – The Black Hat conference – an annual event where security professionals get in touch with their inner hacker and vice versa – has for nine years been a stage for detailing new security exploits and sharing visions of the future.

News last week was dominated by the saga of security researcher Michael Lynn , who defied his employer Internet Security Systems by delivering a forbidden presentation on hacking unpatched Cisco routers – and was subsequently sued by ISS and Cisco. But Black Hat had much more, including:

• Phil Zimmerman, the fabled inventor of Pretty Good Privacy (PGP) encryption for e-mail, unveiled plans to bring encryption to VoIP phones.

• The Jericho Forum , a group of multinational corporations that want to better secure e-commerce by pushing security controls further into networks and away from the perimeter, showcased technologies it said represent that vision.

Among the darker demonstrations, Kevin Mahaffey, director of development at Flexilis, operated a radio-based voltage-controller oscillator that acted as a disrupter that could shoot a frequency beam at an RFID reader. As it emitted a shrill whine, the RFID disrupter jammed the reader or eliminated a comprehensive reading of RFID tags, which in actual use could play havoc with supply-chain operations using the tags.

“This can take away the ability to read tags reliably,” Mahaffey said. He added that there also are ways to sniff RFID tags, clone the information and commit fraud by wrongly tagging goods. Use of public-key encryption would likely be the best way to counter or identify these types of threats, but this is still rare in the RFID world.

Experts on the panel suggested that although the threat appears minor at this point, it is a cause for concern.

Paul Simmonds, chief information security officer at chemical and paints manufacturer ICI in the U.K., said corporations in retailing and the grocery industry use RFID tags to speed delivery of goods so they don’t have to unpack them to identify them.

But as a maker of a premium line of house paints, ICI would be concerned if its goods were fraudulently marked down in a two-for-one sale through some form of RFID spoofing. “People can get away with theft with this,” Simmonds said.

As the session turned to the subject of government use of RFID tags in passports – which the U.S. has said it intends to implement – the panelists expressed reservations that sufficient security controls might not be in place to prevent identity theft.

“Do I want to walk around Baghdad and be identified as a Brit or American?” Simmonds said. “Someone could embed it in an interesting technology, like a land mine.”

Simmonds, a Jericho Forum member, also spoke at Black Hat on the idea of “de-perimeterization.” This alludes to a process of gradually moving away from the use of perimeter defenses – mainly firewalls – for use of security controls such as authentication and VPN, to methods that bring controls closer to actual data sources and make it easier to offer access to e-commerce partners and restrict data access.

The Jericho Forum a few months ago announced it would hold a contest inviting participants to submit papers identifying methods, technologies or concepts that satisfy the frameworks the forum laid out in its own white paper.

The Jericho Forum’s judges selected three finalists. The top winner was AppGate, with a paper that defines how companies that want to move to a de-perimeterized world could focus on controlled access to systems. Security vendor nCipher came in second with its own reference architecture. And a Jericho Forum member, German firm Dresdner Kleinwort Wasserstein, placed third with a discussion of innovations associated with public-key credentials that it is testing.

The papers can be read at www.jerichoforum.org.

Beyond PGP

Among other notable visions of the future heard at Black Hat was one by Zimmerman, who invented PGP encryption for commercial use while sparring with the U.S. government in the 1990s for the right of the citizenry to use strong encryption. Before a packed audience, Zimmerman, now a consultant, announced how his next big project would be applying encryption for practical use in what would be primarily computer-based VoIP phones.

“Every day I can see on my console these break-in attempts, hopefully being repelled,” Zimmerman said. VoIP phones are going to be a target, he said. “I saw e-mail needed to be protected years ago and that’s where PGP came from.”

He demonstrated an encryption-based VoIP implementation for Macintosh based on using VoIP freeware that allowed users to easily set up an encrypted call but emitted stinging static to eavesdroppers.

Zimmerman’s technology – which he says he soon wants to submit as an open standard and possibly commercialize by offering software for Macintosh and Windows – appears simple for practical use.

It relies on encryption hash technology to provide a unique three-digit identifier that each caller will receive when initiating a VoIP call. The callers simply start their conversation by sharing these identifiers with each other, which prove there’s no man-in-the-middle attack, and the rest of the conversation is encrypted.

Zimmerman also spoke about the evolution of the encryption security debate that raged back in the ’90s as the U.S. government sought extensive control over commercial cryptography. That war has largely been fought and won, he noted. “I didn’t see a clampdown on crypto after 9/11,” he said.

Ultimately, Attorney General John Ashcroft came down on the side of free use of cryptography. This led to greater liberalization in the U.S., while other countries, including France and Britain, also lessened cryptography controls.