InformationWeek's carrying a Reuter's article that mystifies me. I can understand that if an RFID tag is used to retain volatile information that, later, might be used in other calculations, transforms, etc. AND the villain of the piece has intimate knowledge of that application, it would be possible to throw data into the volatile storage that might gum up the works.
I can also understand that if RFID tags are "programmable" in the field, an erroneous EPC number could be inserted into the tag, inadvertantly or intentionally, with the result that the data base (once again) contains invalid information (and potentially, you're charged the going rate for toothpaste when buying a bottle of wine, since it has the same effect as a mis-tagged item).
But, a virus? That infects other RFID tags? I gotta see this paper.
Radio Chip Barcodes Can Carry A Virus: Scientists
March 15, 2006
AMSTERDAM (Reuters) - Cheap radio chips that are replacing the ubiquitous barcode are a threat to privacy and susceptible to computer viruses, scientists at a Dutch university said on Wednesday.
Researchers at the Amsterdam's Free University created a radio frequency identity (RFID) chip infected with a virus to prove that RFID systems are vulnerable despite the extremely low memory capacity on the cheap chips.
The problem is that an infected RFID tag, which is read wirelessly when it passes through a scanning gate, can upset the database that processes the information on the chip, says the study by Melanie Rieback, Bruno Crispo and Andrew Tanenbaum.
"Everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software and certainly not in a malicious way. Unfortunately, they are wrong," the scientists said in a paper.
"An RFID tag can be infected with a virus and this virus can infect the back-end database used by the RFID software. From there it can be easily spread to other RFID tags," they said.
As a result, it is possible that criminals or militants could use an infected RFID tag to upset airline baggage handling systems with potentially devastating consequences, they said.
The same technology could also be used to wreak havoc with the databases used by supermarkets.
"This is intended as a wake-up call. We ask the RFID industry to design systems that are secure," Tanenbaum said in a telephone interview." ...
Update:
OK, I've downloaded their paper and read through the website. Their point, and it's a good one, though overblown, is that RFID, like any system that elicits input that goes to a database system, must be considered as containing attempted "exploits." If I were to do a "global replace" on their discussion of threats and exploits, replacing RFID with elicitation of data from users of the public internet using web browsers, the argument would be just as valid.
There are ways of pointing out that Best Practice in coding back-office software should always do a validation check on the input data before "committing" it to the system. This is an application software issue... not an issue specific to RFID.
If the point of this website and article is to point out that the data embodied in an RFID chip must NOT be considered already validated, they should have said so. If it was a fair study, by pointing up the potential threat, they should also point out that it is best practice to examine RFID-resident data for either inadvertent or intentional threats to the back-office software systems. They should have and could have said that without the sky-is-falling-and-RFID-is-inherently-unsafe hoopla.
Technorati Tags: RFID, Security
