RFID Tags in Clothing – What Could Go Wrong

Sometimes we need a break from all of the serious security issues we deal with and talk about. This blog is a break from breaches, sabotage, espionage and camouflage. If you want serious security today might I recommend Top 4 Reasons Why Hackers Plant Geolocation Malware on Websites, or some of my previous blogs such as Evasion and Regeneration; Decoys and Deception, or New Equifax Website Compromise.

Recently I had to shop for a washing machine. I had forgotten that now a days washing machines are part of the Internet of Things (IoT).  It was pretty easy to narrow down my choices of washing machines; if the washing machine listens and tells all to Google then I don’t want it, I have my Android phone for that. I would need to remember not to talk about confidential information when I am in the laundry room… Google hears all, Google sells all.

All of these high tech washing machines made me contemplate what other absurd things we can apply IoT technology to?  I decided that IoT clothes would be absurd… until I had my million dollar idea for a ground breaking application of the technology.

You see, I am really about function over form. My sense of fashion is only marginally better than most IoT vendor’s knowledge of the need for IoT security. I reason that if I could have RFID tags in my clothes, I could put my sports coat next to a shirt and then my mobile phone will tell me if the clothes work together. Next I put a tie with the shirt and sports coat and my phone tells me if it is business casual or a misdemeanor.

RFID tags would be solve my fashion impairment affliction. I could take pictures of my clothes to the store with me and know if something will pop before I buy it. It’s not just me, it’s a wonderful application for color blind people (who without exception have a better sense of color coordination than I do).

I could bring my clothes to the washing machine and it will TELL me which items can safely be washed with each other! The cost savings would be enormous. No more buying clothes that work together at the store and then inadvertently dyeing them to a color that no longer works with anything -including impressionist paintings.

There's also the problem that fashion changes. My app will be updated every time there is a new fashion (black is timeless). At last, if I buy on the first day of the cycle, my clothes can be fashionable for the full six months of their planned obsolescence. What's more, I could enter the name of an opera house or a burger joint and my phone will tell me if the clothes are acceptable for the dress code. Evidently sandals do not count as shoes at those fancy shmancy opera houses. I actually knew that and intentionally wore them when my ex-girlfriend tried to make me go to see the opera Lily.

So what could go wrong with putting RFID tags in clothes? Perhaps a manufacturing error puts the wrong chip in my clothes I'm wearing for an interview at T.J. Maxx. Suppose a hacker is able to hack the RFID chips and flash them to the 1970's fashion styles? If there is a manufacturing product recall for a defective RFID tag (the cheap ones are read only) is the shirt replaced with a refurbished shirt? Will the shirt be depreciated based on wear? If I am a clothing manufacturer would my competition hack into my system and sabotage my RFID tag stock?

Yes, there are potential security risks but still, if we nerds can finally go incognito in public it is a risk we are willing to take.

Randy Abrams
Independent Security Analyst

Sometimes It Isn’t All About Russia

Saying that Russia has been in the news for espionage and hacking, etc. is like saying there’s oxygen in the air – it seems we breathe that news. Despite whatever Russian hackers have done, people get so hung up on the marketing value of the Russia brand that they forget there was supposed to be a story too. The exploitation of DDE is an example.

There are many articles about Russian hackers exploiting the terrorist attack in New York in order to lure people into opening documents that are booby-trapped with DDE content.  There are two real stories here and Russian hackers are not one of them. We have a story involving confidence attacks and another story about DDE exploitation.

Happy Birthday Sweet 16

2017 marks the 16th anniversary of the Anna Kournikova worm. Amusingly, at least to me is that when I thought of using the Anna Kournikova worm as an example in this blog, I had completely forgotten that Anna hails from Russia. I also wasn’t thinking about the lyrics either. “You've turned into the prettiest girl I've ever seen.” is also in the lyrics to the song. That Anna is from Russia was not relevant to the story of the worm. That Anna is a lovely woman is only relevant to the construction of the worm attack. The story is about techniques that are highly effective in enticing users to execute malware. The point of “Happy Birthday Sweet Sixteen” is that we are not dealing with anything new.  The “ILoveYou” worm is a year older but nobody says “Happy Birthday Sweet Seventeen” so Anna it is. There is also another interesting parallel between the Anna Kournikova worm and the DDE exploit attack vector. Jan de Wit, the author of the Anna Kournikova worm, used a virus construction kit to generate the worm for him. Not to say that Russian, Chinese, American and other hackers are not sophisticated, but tutorials to exploit the DDE vulnerability are on YouTube.’ Just sayin

If, like Jan, you prefer to use a kit, Metasploit has a module all set up for you.

Prescriptive Guidance

Russian hackers using exploits to deliver malware is not a story. Using a tragedy as a lure is not a story. Anyone involved in security already knew that exploitation the terrorist attack story would be happening within minutes. If you are going to use the Russian brand for marketing (like I am now), use the marketing for good. In that spirit I would like to provide at least a little prescriptive guidance. 

1) Read

Despite the varying nature of usefulness, Microsoft usually provides mitigation strategies for vulnerabilities. In this case you should read the Microsoft Security Advisory 4053440 titled “Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields.”

Many security companies have excellent write-ups of the actual threat, how it works, what Yara rules and Snort signatures may be available, and other truly relevant information. Read those articles if security is your thing. Read my blog if it isn’t .

2) Keep your eye on the ball

Perhaps you can employ Microsoft’s mitigation strategies, but whether you can or cannot, remember that blocking these attacks is part of a strategy, not the goal. Protecting data is the goal.

There are books, courses, and I believe even theologies that deal with data protection, but “how to” is beyond the scope of this blog and outside of my area of practice. Cutting through the haze of hype is the story I want to tell. If you are keeping your eye on the ball, the DDE vulnerability is a reminder that protecting your data is the endgame. If your data is vulnerable to exploitation of DDE, perhaps DDE is not your biggest problem. The DDE issue might also be a reminder to audit/test your defense systems. 

I often recall Greg Thompson’s post on LinkedIn in the wake of WannaCry. Growing weary of the Gregorian chant “Patch Patch Patch Patch Patch Patch Patch Patch Patch” he exclaimed:

Like Greg said, “...we need to re-think how we control/manage vulnerabilities.” 

Thanks Greg, for the reminder to keep my eye on the ball.

You see… sometimes it isn’t all about Russia, but it just might be about tennis lessons with from Anna Kournikova. Anna’s story is timeless and I think that Anna is too - she is just as beautiful as she was 16 years ago when a worm by her namesake made the world news.

In the blog "Internal Audits, Lawsuits, ad Love Letters, I promised a blog dealing with the Malware aspect of using public computers. You can find that blog  on the Quttera blog at Public Computers and Malware.

Randy Abrams

Senior Security Analyst at Quttera Labs