New RFID Attack Opens the Door / Dark Reading, 23 MARCH 2007
http://digbig.com/4sats
"Be careful of who walks up to your building and swipes an ID card: New proof-of-concept code will soon be released that lets attackers hack RFID readers and walk right in as if they work there. The attack uses SQL injection to fake the back-end RFID reader into admitting the cardholder into the building, says Joshua Perrymon, hacking director for PacketFocus Security Solutions. The RFID databases don't validate the input they receive from the swiped cards, he says, which leaves them wide open for hacks. "I was noticing the back-end database is the same across all products -- I haven't seen any using input validation" to confirm the data they've swiped is legitimate, he says. "It doesn't really matter who the vendor is... In any building you go to with this, bang, you gain access."."