« Chicago and entrepreneurial technology culture | Main | Sun goes after Azul, Azul throws counterpunch »
Wednesday
Mar152006

How does an RFID tag perpetuate a computer virus?

InformationWeek's carrying a Reuter's article that mystifies me. I can understand that if an RFID tag is used to retain volatile information that, later, might be used in other calculations, transforms, etc. AND the villain of the piece has intimate knowledge of that application, it would be possible to throw data into the volatile storage that might gum up the works.

I can also understand that if RFID tags are "programmable" in the field, an erroneous EPC number could be inserted into the tag, inadvertantly or intentionally, with the result that the data base (once again) contains invalid information (and potentially, you're charged the going rate for toothpaste when buying a bottle of wine, since it has the same effect as a mis-tagged item).

But, a virus? That infects other RFID tags? I gotta see this paper.


Radio Chip Barcodes Can Carry A Virus: Scientists



March 15, 2006



AMSTERDAM (Reuters) - Cheap radio chips that are replacing the ubiquitous barcode are a threat to privacy and susceptible to computer viruses, scientists at a Dutch university said on Wednesday.



Researchers at the Amsterdam's Free University created a radio frequency identity (RFID) chip infected with a virus to prove that RFID systems are vulnerable despite the extremely low memory capacity on the cheap chips.



The problem is that an infected RFID tag, which is read wirelessly when it passes through a scanning gate, can upset the database that processes the information on the chip, says the study by Melanie Rieback, Bruno Crispo and Andrew Tanenbaum.



"Everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software and certainly not in a malicious way. Unfortunately, they are wrong," the scientists said in a paper.



"An RFID tag can be infected with a virus and this virus can infect the back-end database used by the RFID software. From there it can be easily spread to other RFID tags," they said.



As a result, it is possible that criminals or militants could use an infected RFID tag to upset airline baggage handling systems with potentially devastating consequences, they said.



The same technology could also be used to wreak havoc with the databases used by supermarkets.



"This is intended as a wake-up call. We ask the RFID industry to design systems that are secure," Tanenbaum said in a telephone interview." ...

Update:

OK, I've downloaded their paper and read through the website. Their point, and it's a good one, though overblown, is that RFID, like any system that elicits input that goes to a database system, must be considered as containing attempted "exploits." If I were to do a "global replace" on their discussion of threats and exploits, replacing RFID with elicitation of data from users of the public internet using web browsers, the argument would be just as valid.

There are ways of pointing out that Best Practice in coding back-office software should always do a validation check on the input data before "committing" it to the system. This is an application software issue... not an issue specific to RFID.

If the point of this website and article is to point out that the data embodied in an RFID chip must NOT be considered already validated, they should have said so. If it was a fair study, by pointing up the potential threat, they should also point out that it is best practice to examine RFID-resident data for either inadvertent or intentional threats to the back-office software systems. They should have and could have said that without the sky-is-falling-and-RFID-is-inherently-unsafe hoopla.


Technorati Tags: ,

Reader Comments (2)

An excellent post giving an insight to the news and an excellent viewpoint.
Mar 21, 2006 at 7:36PM | Unregistered CommenterMICHAEL
Thanks for your nice article about computer virus. Definitely we need to keep ourself protected from viruses, otherwise we may need to pay for it by loosing all of our important data. But for computer safety we should also take care of the hardware also. Because hardware crash will also destroy our data. For that we should keep it away from dust, dirt, shakes and other things. Best solution is to have computer carts which are easily available in the market these days. Here i am pasting a link where you can choose good computer carts http://www.bigfootmobilecarts.com/ check it once it'll help you for sure.
Jun 9, 2010 at 1:17AM | Unregistered CommenterCarts BigFoot

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.