RSSStudy: RFID Tags Carry Potential Virus Threat
By Ed Oswald | Published March 15, 2006, 4:38 PM
Radio chips being marketed as a replacement for the barcode threaten consumer privacy and are able to carry a virus, Dutch university scientists revealed on Wednesday. An infected radio frequency identity (RFID) tag is able to disrupt the database that reads information on the chip.
Scientists at Amsterdam's Free University were able to create a chip infected with a virus, and then use it to infect the database. Before this study, supporters of RFID assumed that the technology could not modify the back-end software that reads it.
"In our research, we have discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be (intentionally) infected with a virus and this virus can infect the backend database used by the RFID software," the researchers wrote in a paper discussing the flaw.
"From there it can be easily spread to other RFID tags."
The group says their experience in warning those using the technology about its security issues shows that many are dismissing such a notion as academic and theoretical. Thus, the group is making the malware code publicly available in order to convince users that the problem is potentially serious.
Several scenarios were given on how an RFID virus could be very dangerous, such as a prankster uploading a virus to a supermarket computer that could be used to change prices, or using his cat to pass a computer virus from animal to computer and back to animal through another RFID tag.
However, what may be the scariest of all is the potential airline scenario, where a virus could be used to disrupt baggage-handling systems, potentially hiding suspicious cargo.
"Merely infecting other tags is the most benign case," the group wrote. "An RFID virus could also carry a payload that did other damage to the database, for example, helping drug smugglers or terrorists hide their baggage from airline and government officials."
While in most cases, the critical response to RFID has been due to privacy issues, the scientists' discovery of potentially malicious ways to use the technology is even more troubling, they say.
In turn, the group is advocating action be taken now. "It is a lot better to lock the barn door while the prize race horse is still inside than to deal with the consequences of not doing so afterwards," they said.
A logical defence would seem to be to encapsulate RFID tag data and buffer/screen it before sending it for downstream processing.
Other potential threat scenarios involving RFIDS: a competitor can walk around rival's store gathering data on available merchandise. Even without a complete and accurate inventory, trends over time could be of critiacal marketing value.
As RFID tags drop in price, simply distributing them around a competitor's store could skew the inventory processing.
I'm not an expert on RFID technology and I don't know if the protocols already protect against such attacks. I would hope so.
Dev
Score: 0
I luv it!! And i think it already has spread to some folks' brains...
Score: 0
The paper is basically talking about SQL injection, buffer overflows and SSI exploits. While the application would have to be written pretty poorly to actually perform one of these, there are a lot of poorly written applications out there. You can read the paper here:
http://www.rfidvirus.org/papers/percom.06.pdf
Score: 0
That's what I thought so. There is no assumption in software because it would only make an ASS-U-ME. Moreover security is a consideration in any technolgy and should be considered in the planning.
Score: 0
Hopefully it will at least make programmers more aware of the threats. I remember learning about SQL injections way back when. It was so simple and obvious, I just never though about it until someone showed me.
Score: 0