01 November 2006

Back a few months ago I wrote "RFID tags as virus carriers -- a bit of RFID FUD".

Joel on Software has a related article -- and describes this type of database exploitation as an SQL Injection Bug.
"Unfortunately it's a gigantic security hole called SQL injection.

The user, if malicious, can close the string that you opened, finish your select statement, put in a semicolon (the SQL statement separator), and then type any SQL code they want, and it will run."

In the "RFID virus" case, the user places the malicious codes on the RFID tag and relies on the RFID reader to present them to the host application unfiltered.

Joe's description is much more accurate but less headline-grabbing than: "RFID Virus capable of spreading to other tags and infecting your inventorying system".


Post a Comment

<< Home