RFID security - Part 3: Threat and target identification

Middleware attacks can happen at any point between the reader and the backend. Let's look at a theoretical attack on the middleware of the Exxon Mobil SpeedPass system.

• The customer's SpeedPass RFID tag is activated by the reader over the air. The reader is connected to the pump or a cash register. The reader handshakes with the tag and reads the encrypted serial number.

• The reader and pump are connected to the gas station's data network, which in turn is connected to a very small aperture terminal (VSAT) satellite transceiver in the gas station.

• The VSAT transceiver sends the serial number to an orbiting satellite, which in turn, relays the serial number to a satellite earth station.

• From the satellite earth station, the serial number is sent to ExxonMobil's data center. The data center verifies the serial number and checks for authorization on the credit card that is linked to the account.

• The authorization is sent back to the pump following the above route, but in reverse.

• The cash register or pump receives authorization and allows customers to make their purchases.

At any point in the above scenario, the system may be vulnerable to an outside attack. While requiring sophisticated transmitters systems, attacks against satellite systems have happened from as far back as the 1980s.

However, the weakest point in the above scenario is probably the local area network (LAN). This device could be sniffing valid data to use in a replay attack, or it could be injecting data into the LAN, causing a DOS attack against the payment system. This device could also be allowed unauthorized transmissions.

Another possibility might be a technically sophisticated person taking a job in order to gain access to the middleware. Some "social engineering" attacks take place when someone takes a low paying job that permits access to a target system.

Further along the data path, the connection between the satellite's earth station and the data center where the SpeedPass numbers are stored, is another spot where middleware can be influenced. The connections between the data center and the credit card centers are also points where middleware data may be vulnerable.