My company uses a security company whose name I shall not disclose. For some reason, those guys stick ominous NFC stickers on the doors and windows with their company’s logo, and the stickers serve up URIs with a custom mime-type (i.e. not http). I looked it up: the mime-type is linked to some custom app the employees have on their cellphone that gets called up when they scan the tags - probably some stupid app that says “This properly is secured by xxx”.
So naturally, I replaced the URI with http://pornhub.com/. What else could I do? Come on, admit it, you’d have done the same…
One of the security employees visited us this morning in full rent-a-cop regalia, dragged our CEO out of his office and proceeded to perform a “security assessment” around the building, with a very serious, very official look on his face. And sure enough, when they arrived at the back door, he scanned the mischievous tag smack in front of our CEO. Some security
Quite frankly, I stayed clear away from it all day long I’ll check it out tomorrow. But as far as I can tell, they’re all readily writeable. I haven’t tried to analyze them in detail: I changed the NDEF, pretty surprised to be able to do it at all, then buggered off as fast as I could before being spotted. I’d be surprised if the rent-a-cop had anything - or even the knowledge - to lock the new tag.
The funny thing is, you can do it just fine from the outside, without breaking in or anything: even with triple glazing on the doors and windows, the tags read just fine. It just can’t be tied to an inside job.
If i was designing that, I’d have them locked at time of writing. They are clearly intended as single-use items, seems silly for their programming process to leave them writeable.
I’m sure the PD Fan Club doesn’t know how to lock them, but if their system would expect them to know how to (or even understand why it’d be a good idea) then they’ve already failed!
Well I won’t do it again, now that I know the employees are assessed on whether or not they hit the tags when they do their rounds. I thought they were pointless feel-good devices for the customers. Had I known, I wouldn’t have done it.
Several restaurants embed tags in their tables so when you bring a table pick with you and set it on the table the servers know exactly where to bring your food. Of course these use the UID and leave the data area alone so nobody bothers to lock it down ever… so I write URLs to Dangerous Things on every single one and lock them. Next time someone drops their phone on the table without locking or powering down, free advertisement for dangerous things