Defeating RFID Malware
One of the major attack types against RFID systems are tag data manipulations attempting to perform an attack against backend databases or applications using some form of code injection attack. The reality is that most RFID systems do not account for safeguarding the RFID communication channel at all. As a result these systems cannot spot manipulated RFID tag data and react accordingly.
To protect backend systems from these types of threats an independent authority is required, ideally a dedicated security appliance, restricting access and preventing arbitrary data from being injected into these systems.
The solution should integrate transparently and seamlessly into a given RFID system directly after the RFID reader and in front of the backend (Edge Server or RFID Middleware). This way the solution can inspect tag data before it reaches the backend and can block it if it poses a threat or let it pass through if the tag data is ok. Thus, even if a malicious tag enters the reader field, the tag data will not propagate beyond the security appliance and the backend will never even be aware of its presence. Instead normal operations will continue as if nothing happened, effectively shielding back-end systems including Middleware, databases and ERP solutions etc. from Malware and attacks via manipulated RFID tags.
The central functionality of a RFID security solution can be compared to a combination of firewall and virus scanner / intrusion detection system (Solution 1). Tag data is analyzed for validity and conformance with defined data formats (positive tests) and potential exploits (negative tests). Only valid tags passing all tests should be handed through to the back-end systems for processing. By default the solution should provide components to validate a number of standard data formats (e.g. valid EPC product code, well-formed XML etc.) as well as generic exploits and known attacks (including SQL injections, buffer overflow attacks, string format attacks etc.). Over time the intrusion detection component should get a sense for normal RFID traffic and hence be able to detect unusual or suspicious traffic patterns on the RFID communication channel. Finally, the solution should allow for regular scheduled updates of its attack signature databases from a central location.
With RF-Wall, NeoCatena provides a solution that meets and exceeds the requirements outlined above. RF-Wall is implemented as an appliance intercepting all data coming from one or more RFID readers before it can reach the middleware or backend that would otherwise be directly connected to the reader. As an added value, the RF-Wall may be utilized for filtering (e.g. by EPC product code or other arbitrary criteria) and flow control to manage bursts of data otherwise flooding the backend. All activity can be logged in an audit database and defined events may be escalated.