« The flawed analogy: The Electricity Grid & the Grid Computing Utility | Main | Chicago and entrepreneurial technology culture »

More on the RFID virus assertion

More response to the study of RFID and security issues about which I posted earlier. In particular, I found the response from the EPC community very interesting. It's worth the read, and I have to agree with most of the arguments posited by the RFID "defenders". That said, I find the important point is made by one of the authors, Melanie Rieback: "A lot of these attacks are common knowledge to IT security professionals, but what is different is that no one expects these attacks to come from an RFID tag."

RFID Journal - Can Tag Viruses Infect RFID Systems?

... However, the group's claims were immediately rejected by some members of the RFID industry, including Kevin Ashton, cofounder and former executive director of MIT's Auto-ID Center and now vice president of marketing for RFID interrogator manufacturer ThingMagic.

"A typical EPC tag has 96 bits of memory with an ID number," Ashton notes. "For any such threat to be credible, there would have to be more memory, a read-write tag and variable-length tag reads. It would also need a reader and a system stupid enough and vulnerable enough to allow executable malicious code."

Sue Hutchinson is the director of product management for EPCglobal US, the U.S. arm of EPCglobal, a GS1-sponsored organization working to commercialize EPC technology and RFID standards. She says the security features built into the latest EPC tag and reader standard, Class 1 Gen 2, make the air interface protocol very different than the tags and readers used in the Dutch study.

Studies such as the one done at Vrije University are important because "they keep us thinking about these things, and it's of critical importance," says Hutchinson, "but it's a grand leap to say that [what was shown in the study] could happen to EPC tags and readers. ...


More reaction to the RFID Virus paper, including a reasonably accurate (as I read it) description of how the whole study is jury-rigged. I think that the point raised above is still the important one: Don't take for granted that the data in a tag is "clean" and "valid."

... Really, what they're doing is the equivalent of:

1. Designing a barcode system to automatically self-destruct if it ever reads a barcode of 1337 1337, for no reason other than to prove it's dangerous.

2. Broadcasting to the world that the barcode system will self-destruct if it ever reads a barcode of 1337 1337.

3. Intentionally reading a barcode of 1337 1337.

4. Claiming that barcodes are dangerous.

RFID Tags, just like barcodes are just data. Nothing more than data. If you intentionally design a system to be vulnerable to certain data, then intentionally expose the system to that data, then yup, you'll have a problem.

Technorati Tags: ,

References (1)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Reader Comments (1)

You are exactly right -- the only way to make a data-reading system vulnerable is to program it so. Aside from obvious programming mistakes, the key way that such vulnerabilities are created is to allow "active data" -- data that forces the system to execute it.

Web browser vendors opened that Pandora's box in HTML long time ago, albeit with good intentions, and browsers remain vulnerable to this day.

Although at a first glance there is no reason to ever add "active data" in RFID readers, it is very likely to happen. By necessity, most RFID systems -- point-of-sale or not -- are embedded systems. Embedded systems are usually deprived of rich user interfaces and vendors as a rule use any input to the system for programming and configuration. Many bar code readers are programmed with "service" bar codes.

The particular danger in RFID is the ability to do this remotely. For a preview, just think of cell phone firmware upgrades over SMS messages.

Unless there is an explicit "prohibition" in the RFID specs against active data and programmability over the RFID input, I think it is very likely that well-intended vendors will commit the sin. That should not be used as a scare tactic against RFID but the danger should be addressed. It is a fairly easy step and it should be taken.
Mar 27, 2006 at 2:35AM | Unregistered CommenterPeter Nickolov

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
All HTML will be escaped. Hyperlinks will be created for URLs automatically.