18 July 2006

RFID tags as virus carriers -- a bit of RFID FUD.

A recent paper has caused another round privacy and security fears of RFID.

From FreeMarketNews.com :

Tuesday, July 18, 2006 - FreeMarketNews.com

Another new front in computer viruses is on the horizon, all wrapped up in the efforts at "inventory control" at your local retailers. According to a BBC News story, the latest batch of malicious hackers might target Radio Frequency ID tags to attack
computer systems.
Expert security researchers have now successfully infected an RFID tag with a computer virus, thus demonstrating how vulnerable this technology might be to such hackers. They urged tag manufacturers to introduce safeguards to guard against RFID-borne bugs. Andrew Tanenbaum, one of the researchers in the computer science department at Amsterdam's Free University that did the work, reportedly said their efforts were "intended as a wake-up call. We ask the RFID industry to design systems that are secure."
When this story first made the rounds a few weeks ago, I googled around and found the referenced research paper.

It appears that the "virus" exploits a particular application software that interfaces to a particular RFID reader.

The "virus" is SQL database commands embedded in the user data space of an HF RFID transponder. The user data is to contain a data field such as a persons name. For example: instead of "Damon Corbin" the tag contains "Damon Corbin'; UPDATE ContainerContents SET..." or something like that, confusing the application causing unintended or malicious behavior.

The problem isn't with RFID, but with poorly written application code that fails to adequately validate it's input.


Post a Comment

<< Home