Friday, August 8, 2008

And the winner is....

Several years ago I recall seing a picture of a sign someone had posted on a bridge which read something like this:

Remember when you drive over this bridge that the company who built it was the lowest bidder.

Sort of makes you question the safety of the bridge, does it not?

At the Blackhat Conference this past week, several of the exploits generating quite a bit of stir involve attacks on automatic toll systems (which use completely non-secure RFID), as well as attacks on e-passports (also using non-secure RFID).

Security experts have discussed the vulnerabilities of these systems nearly to the point of exhaustion, only to be dismissed as theoretical possibilities.

An article posted at Techdirt.com discusses this latest Blackhat exploit , and the last sentence in the article asks "So why weren't these systems designed with better security in the first place?"...which brings us back to the bridge.

Sadly, I am willing to bet anyone that every one of the companies who implemented these systems were absolutely made aware that they had to consider the design of the security of the system, and absolutely either chose to ignore security, or failed to validate security if they did choose to implement it.

The lowest bidder can easily cut security out of the bid, because everyone else does.

Perhaps the makers of the toll systems and passports can sue the Blackhat hackers, like NXP tried to do to the students who published the Oyster Card exploit. I am sure their lawyers would love to collect some fees.

No comments: