Slashdot Mirror
RFID & Viral Vulnerability
Arleo writes "Student Melanie Rieback and others, part of a Tannenbaum research group in Amsterdam, have proven that RFID-tags are vulnerable for infection with viruses. In a research paper titled
"Is Your Cat Infected with a Computer Virus?" is shown how an altered RFID tag can be used to send a SQL injection attack or a buffer overflow. They describe on the rfidvirus.org website possible exploits of this types of viruses: from altering the backoffice of a supermarket to spreading RFID viruses by infected bags on airports."
Fascinating stuff, but it seems that the game plan for protecting against RFID malware is basically the same as protecting against more traditional malware...namely, enforcing proper bounds checking, enforcing proper database permissions heirarchies, disabling back-end scripting languages, isolating the vulnerable RFID middleware server in a proper DMZ environment, etc.
In other words, RFID malware has just as bright a future as the more traditional flavor, since most developers and administrators can't be bothered to take these elementary precautions.
____
~ |rip/\/\aster /\/\onkey
Student Melanie Rieback and others, part of a Tannenbaum research group in Amsterdam, have proven that RFID-tags are vulnerable for infection with viruses.
American oak tree research groups and Swedish aspen tree research groups have responded by working around the clock to fix this security hole. Never before have groups centered on deciduous trees been so involved in computer security.
My work here is dung.
I don't understand why we _have_ to use RFID at all. I understand it may make some things easier, but aren't we efficient enough? In these days where security is becoming more and more of an issue, why even creating another security issue when the old way still works. Is tracking something via a barcode scanning system really so inefficient that we need RFID? I don't understand, we seem to be pretty efficient in most industries already, why do we need to squeeze another cent an hour out by using some new and relatively unproven technology when the old way works just fine?
Judges and senates have been bought for gold; Esteem and love were never to be sold.
My company is rolling out RFID badges for all staff to streamline our security and help reduce the amount of late employees etc - is this something that could be a problem or is it just theoretical?
Realy how is this diffrent from an email virus? it's not like they can reprogram "good" RFID tags into "bad" ones can they?
I don't give a damn for a man that can only spell a word one way.
Mark Twain
April 1st is still a couple of weeks away
I understand that a virus could preform an SQL injection or a buffer over run, but these activities are not what defines a virus.
In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents...-Wikipedia
GENERATION 25: The first time you see this, copy it into your sig on any forum and add 1 to the generation. Social exper
From rfidvirus.org: Here is where the trouble comes in. Up until now, everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software, and certainly not in a malicious way. Unfortunately, they are wrong. In our research, we have discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be (intentionall) infected with a virus and this virus can infect the backend database used by the RFID software. From there it can be easily spread to other RFID tags. No one thought this possible until now. Later in this website we provide all the details on how to do this and how to defend against it in order to warn the designers of RFID systems not to deploy vulnerable systems.
So to sum up, if some programmer doesn't do his/her job, the RFID tag they plan on implanting in our passports could be used as delivery devices to compromise computer systems around the globe.
I'm going to rate this a pretty big if, though, as we know from all the patching going on, the probability is very high. RFID software is going to have to be thoroughly tested and watched like a hawk. Undoubtedly there's going to come a point where if one or two of these viruses get out and something newsworthy happens (airport computers crash, Citigroup gets credit card data stolen, etc.), the whole idea of RFID tags everywhere is going to get a serious black eye.
GetOuttaMySpace - The Anti-Social Network
-- Bridget
Cashier: Um, $1 for 2 steaks? That can't be right.
Me: Sure it is. Look at the sticker. 50 cents a pound. The steaks weigh two pounds thus $1 for two steaks. Mad cow and all that.
Cashier: Ok, if the sticker says so, it must be right. *scan* *beep!* *scan* *beep!* *scan* *beep!*
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
"the virus on its tag infects the supermarket's product database, potentially wreaking all kinds of havoc such as changing prices."
Free beer anyone?
An RFID tag is the same as any user input and can not be trusted. When your applications are programmed with this in mind from the start this shouldnt be a problem.
But ofcourse there are nowadays lots of websites which are vurnerable for sql injection and similiar hacks. Even google had a cross site scriptiog exploit.
200GB/2TB $7.95 Coupon: SAVE90DOLLAR
everywhere, but not a single one which is in my control.
They called me mad, and I called them mad, and damn them, they outvoted me. -Nathaniel Lee
I swear it's on sale! $9.99 a case, just check the RFID tag!
I'll take 10 please.
He who knows best knows how little he knows. - Thomas Jefferson
Totally fascinating... so in the near future we can expect the airport/supermarket security to immediately arrest anyone with a working IPAQ =)
Seriously thou, think of the implications! You could actually increase all the pricetags at your local Wallmarrt...
http://www.automatiq.se
Only if the dimwits writing the RFID reading software are stupid enough to treat all rfid readings as 100% trustable OR does something stupid like allow scripting.
I can see a buffer overflow if your rfid is capable of generating a string massively larger than a normal rfid.
Outside of a SQL injection to get past a really poorly designed RFID reading application or plain stupidity in the RFID reading software part I can not see any way for a RFID to get the host reading PC to execute the code inside it.
I imagine in the future rfid-kiddies will have bot-nets of them causing large scale DDOS attacks on our wallets =)
It has nothing to do with the "evilness of RFID" and with the stupidity of the backend. An RFID tag is just a string of text. It's up to the backend application to sort it out.
This really is no different than replacing the barcodes on packages.
Tom
Someday, I'll have a real sig.
When he opens his box and finds that the poison is not let out, but the cat is still not alive (um, probably "dead anyway", to avoid unnecessary confusion in this matter (i.e., it won't suddenly "quantum wake up")) after having catched a RFID virus.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
Hmmm... on the other hand he is the one who first wrote about that dangerous hacker Kevin Mitnick...
...richie - It is a good day to code.
An SQL injection. Fine. OF COURSE it works if the backend application is written by some coder who has heard a few things 'bout SQL but has no idea of injections.
It's the backend that's the risk. Not the RFID tag.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
By itself RFID could be insecure. But you could retain its simplicity and its advantages (extends reading to a couple meters; longer number ID) with a second layer of security.
For example at one urban college library they put the cardholders' face immediately on the screen. The cardholder could have a fake ID or borrowed a friends, but its much harder to fake a face image. And a image is much easier for the guard to process than some descriptive text. Likewise the RFID code reader could flash an image of the product to the cashier or warehouse clerk as secondary identification.
Someone has to write a virus to completely screw up a crappily implemented system. Therefore, finally we may be able to attain the holy grail : free (as in beer) beer!
Good to know that the Mark of the Beast will be an insecure Mark indeed! Hell, I might even be able to hack it into a meer Mark of the Small Furry Critter.
Except these dimwits DO treat RFIDs as trustable.
Not 'evil', just dumb. RFID reader is an insecure input device like any other, and you don't even need physical access to use it. But it seems nobody thought of preparing a barcode that could crash the cash register, recording a magnetic card that would infect the security system, etc. Some devices are thought to be too simple to mean danger - wrongly. I remember some old Atari games that would crash or misbehave if you'd open the joystick and pressed "left" and "right" simultaneously. I burnt electronics of a RC toy car by telling it to go forward and back at the same time. Got a motorbike to run backward by starting the engine by pushing it backwards. Managed to crash my cell phone by buffer overflow at battery load level sensor (it WAS a software failure!) Got a CD tray to stop halfway by simultaneously pressing the eject key and sending eject commands from the computer.
A toggle switch can be ballanced in the middle position. A pushbutton can be softly pressed make a spark-gap. Unconnected lines can be shorted. Even a single-bit input device cannot be trusted.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
A lot of good comments have already been made here, but I'm surprised nobody has commented yet on something that seems obvious: if you're going to hack into a system, you have to know a little bit about the system first. You can't simply design some buffer overflow exploit and trust it will "hack" the back-end system. That seems awful "Independence Day"-ish - you know, writing a virus here on Earth that somehow magically attacks and shuts down an alien computer system. Makes for exciting movies (if you're not minimally smart about computers) but it never works in the real world.
In this case, it seems to me that if you know enough about both ends of the process, sure, you can develop some method to penetrate the system. Most malware authors have the benefit of working on a very well-known platform - the Windows PC - with known software (one of the limited numbers of email or browser programs). But attacking a back-end system like this is a much more dicey proposition - each large corporation probably will have its own back end, and may be running any of a dozen OS-and-database combinations.
So to benefit from this attack, it seems to me that the author has to be an insider to stand a ghost of a chance of success. If he's an insider, there are MUCH easier ways to penetrate the system.
As a result, while I have great concerns about RFID, this strikes me as FUD.
1) Develop complicated, application-specific RFID attack that would never be real-world useful
2) Write research paper spreading more fear about RFID
3) PROFIT! (or at least get a lot of attention)
--Brandon / Split Infinity Music
The problem I have with the idea of an RFID virus is that most RFID middleware is based on either .NET or Java. I'm not saying it's impossible but the prospect to propagating a virus by RFID tag becomes a whole lot harder if they have to put MSIL or Java bytecode on the tag. I've developed a few RFID applications and all of the incoming RFID data are numbers (e.g. id: 12345) and I just look that information up in a database. It's not like I'm storing "SELECT * FROM table WHERE id = 12345" on the tag and then executing it blindly.
Oh, a lesson in history from Mr. I'm my own grandpa.
Simply disinfect the offending device with a RFID zapper . Oh, wait...
Security researchers have discovered that accepting input from a webpage can expose you to viruses if your webserver software is vunerable to viruses.
Andrew S. Tanenbaum to be exact.
This has to be one of the most ridiculous pieces of headline-grabbing misinformation I've ever seen - their 'scenarios' are so contrived as to be completely laughable. Unfortunately this is just the sort of junk that the avarage idiot jounalist latches onto to further spread misinformation and nonsense.
You could write similar 'scenarios' with barcodes, but nobody would notice, just becasue some ignorant people seem to theing RFID is some kind of magic, they will probably believe this and the industry will likely suffer damage as a result.
These are all RFID in action saving you money. They save you money because they save truckers money;
d =57,1302257,57_1302270&_dad=portal&_schema=PORTAL
http://www.illinoistollway.com/portal/page?_pagei
http://www.ezpassde.com/
http://www.sunpass.com/
http://www.prepass.com/
Weight in motion, which usually uses RFID;
http://science.howstuffworks.com/question626.htm
We've been doing RFID since 1996. It's not new technology. We are just talking about new applications.
the difference between 'Deutsch' and 'Dutch'.
Trust me, I work for the government.
The article is crap. More clueless acedmia. Hello - did anyone at this prestigous institute actually TRY to write a virus for the RFID tag? The article implies they might have. But, frankly, i doubt it - as an RFID tag has about 256 bytes of capacity. Wow, what horrible evil virus could be unleashed in 256 bytes.
Fouling up sloppy backend SQL code is one thing. Implying that my infected cat will slow to a crawl, barf up pr0n-storm hairballs and begin all night cries of "Viagra! Cialis!" because of its RFID tag is just rediculous.
The only PT Boat Journal on the web: http://www.PT171.org
With Bluetooth enabled vehicles and RFID national/state ID cards coming into the picture, this might be the first time where a drivers license actually causes a person's car to crash! (pun)
-@
Move all sig!
When will data-as-code die already? SQL injection, shell escaping vulerabilities, buffer-overflow attacks leading to arbitrary code execution, etc... All of these reflect ignorance of one common security principle: SEPARATE DATA FROM CODE.
We can eliminate all of these if the structure of the code is immutable with respect to the data it manipulates.
That's not to say that buffer overruns or corrupt data couldn't cause other mischief. But, at the very least, you could actually prove the mathematical correctness of your program if you can guarantee that the code you see in the source (and the libraries it links) is the only code that can execute. If a data input could become part of the code, all bets are off.
The fact that SQL queries are held in strings and look like data to the host programming environment is bad design from a security standpoint. A similar statement can be made for shell scripts. The fact that the semantics of a shell statement (such as "what commands are present") aren't known until after variable expansion has lead to how much havoc?
Now, I suppose some of you might read this as "Well, you can't write provably correct interpreters then!" Not true. The interpreter itself must treat all of the interpreted program as data and keep it separate from the interpreter's code. e.g. I shouldn't be able to subvert bash's internal programming with a shell script. In the interpreted language, none of the data manipulated by the interpreted language should ever be able to become part of the interpreted program—e.g. no input to a shell script should ever become part of the shell script's programming. As long as you construct those barriers—that the data manipulated by one layer of programming is never considered code at that same layer of programming—you eliminate these data-as-code attacks at that layer.
--JoeProgram Intellivision!
There is nothing viral about this story. It is just an RFID reader buffer overflow vulnerability. There may only ever be one tag involved in an attack; only the RFID reader software is affected, not other tags.
Why do the editors approve stories with such blatant buzzword abuse?
Question everything
--------
HELLO, My Name is
";UPDATE Users SET name = "nuzak";
--------
Now you are all nuzak.
Done with slashdot, done with nerds, getting a life.
First I want to state I did RTFA, and it does make a lot of assumptions about RFID middleware. However, as stated previously, these assumptions can be applied to any system that interprets data from an external source (SQL servers, web services, etc.).
I've worked with three different makes/models of RFID readers and their associated tags (both passive and active), all of which use only alpha numerics in their ID scheme. A simple check that the incoming data adheres to this rule will eliminate the possibility that symbols such as apostrophes, parenthesis, and semi-colons can be inserted. Also, all of the ones I've used do not send the RFID tag as text. They store the tag as bytes. In software I've worked on, they were converted to hex to further reduce the possibility of malicious data being picked up. Furthermore, their size is extremely limited, being only four bytes each.
Also, the SQL examples presented by this article assume all SQL servers adhere to the same SQL syntax. For a solution with multiple possible database back-ends, this hack would only work in some cases.
Admittedly, I cannot speak to systems which pass the tags as text, which is what this article appears to primarily focus on. However, for anybody with half-a-conceren about security, this article is a big, fat DUH! Hopefully all developers (not just RFID) have more than half-a-concern about security.
We have finally discovered the beast of the apocalypse! A sentient computer virus spread by rfid! NANO NANO neener
Now every store is a dollar store! :)
Sorry, I can reliably inform you that Mr Tanenbaum was amused that you could not get his name right.. As they say; it does not matter what they write as long as they get the name right.. :)
I always assumed that sql-injection was only useful if the attacker could guess something about the database tables. Then I went to a presentation by a white-hat hacker, who showed us how to use sql-injection to read the system tables and suck down an entire database automatically. Then he showed us a script that googled for potentially vulnerable servers and tried that hack against them. He said phishing is for amateurs...organized crime groups in Russia are using scripts like this to suck down databases on a massive scale so they can sift through them later.
Not directly analogous, I know, but I gained a new respect for zero-knowledge attacks.
My original understanding of RFID was that it was just one really long (96 bits or longer) ID (number) and nothing else. I didn't realize there was any way to STORE information on the RFID tag.
Now I'm more concerned with RFID that I was originally. If it was just an immutable ID then I only see privacy concerns, but not "hacking" concerns from the RFID tag itself.
Since evidently some versions can actually store user data then this opens it up to a whole new class of problems.