The Football World Cup will see for the first time the use of RFID for the ticketing system of a major event.
The list of security precautions the government is taking is substantial. It begins with the use of RFID (radio frequency identification) technology. More than 3.5 million tickets for the 64 matches will be sold with an embedded RFID chip containing identification information that will be checked against a database as fans pass through entrance gates at all 12 stadiums.
[Source: CSO]
We would hope the database has been hardened against attack.
From this article we can hypothesise the following:
- The RFID will contain a unique ID
- This ID will be linked to an database on the backend.
- The RFID devices are read only
So, the RFID scanner will not directly access the personal data from the RFID devices, which is a good thing, but the weakness of this system is moved to the security of the database backend, and to the application backend.
This system makes the forging of a ticket harder, but still not impossible, as a clone of an existing RFID could be done and be checked before an original one. Advance systems will then be able to understand that a device has been checked twice, and could be cross referenced with video footage of the transaction, in order to determine the origin of the forged ticket.
RFID also allows the tracing of people within the premises of the stadium, and outside, but any RFID scanner would be able to do this. This technique is actually in use in some commercial complexes to study the behaviour of a client.
How could be a such system exploited?
As in any database backend application, it could be vulnerable to SQL injection if the input processing routines have not been hardened. It could, in some cases, modify the integrity of the database: adding, modifying, and removing data from the database. This attack needs an understanding of the database schema as with a “blind test”, the RFID won’t recieve any results from the generated query.
A recent research paper ( by M.R. Rieback, B. Crispo, A.S. Tanenbaum. “Is Your Cat Infected with a Computer Virus?”), describes the main threats of RFID Tags.
A more simple attack will try to attempt an Denial of Service directly on the scanner using buffer overflow techniques.
An event as significant as the world cup, with inevitable black market sales and the motivation for fraud will provide an interesting first usage of this technology. We shall be monitoring the event to see if there is any sign of a new, high tech, attack on the competition.