Slashdot Mirror
RFID & Viral Vulnerability
Arleo writes "Student Melanie Rieback and others, part of a Tannenbaum research group in Amsterdam, have proven that RFID-tags are vulnerable for infection with viruses. In a research paper titled
"Is Your Cat Infected with a Computer Virus?" is shown how an altered RFID tag can be used to send a SQL injection attack or a buffer overflow. They describe on the rfidvirus.org website possible exploits of this types of viruses: from altering the backoffice of a supermarket to spreading RFID viruses by infected bags on airports."
Fascinating stuff, but it seems that the game plan for protecting against RFID malware is basically the same as protecting against more traditional malware...namely, enforcing proper bounds checking, enforcing proper database permissions heirarchies, disabling back-end scripting languages, isolating the vulnerable RFID middleware server in a proper DMZ environment, etc.
In other words, RFID malware has just as bright a future as the more traditional flavor, since most developers and administrators can't be bothered to take these elementary precautions.
____
~ |rip/\/\aster /\/\onkey
I don't understand why we _have_ to use RFID at all. I understand it may make some things easier, but aren't we efficient enough? In these days where security is becoming more and more of an issue, why even creating another security issue when the old way still works. Is tracking something via a barcode scanning system really so inefficient that we need RFID? I don't understand, we seem to be pretty efficient in most industries already, why do we need to squeeze another cent an hour out by using some new and relatively unproven technology when the old way works just fine?
Judges and senates have been bought for gold; Esteem and love were never to be sold.
I understand that a virus could preform an SQL injection or a buffer over run, but these activities are not what defines a virus.
In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents...-Wikipedia
GENERATION 25: The first time you see this, copy it into your sig on any forum and add 1 to the generation. Social exper
From rfidvirus.org: Here is where the trouble comes in. Up until now, everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software, and certainly not in a malicious way. Unfortunately, they are wrong. In our research, we have discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be (intentionall) infected with a virus and this virus can infect the backend database used by the RFID software. From there it can be easily spread to other RFID tags. No one thought this possible until now. Later in this website we provide all the details on how to do this and how to defend against it in order to warn the designers of RFID systems not to deploy vulnerable systems.
So to sum up, if some programmer doesn't do his/her job, the RFID tag they plan on implanting in our passports could be used as delivery devices to compromise computer systems around the globe.
I'm going to rate this a pretty big if, though, as we know from all the patching going on, the probability is very high. RFID software is going to have to be thoroughly tested and watched like a hawk. Undoubtedly there's going to come a point where if one or two of these viruses get out and something newsworthy happens (airport computers crash, Citigroup gets credit card data stolen, etc.), the whole idea of RFID tags everywhere is going to get a serious black eye.
GetOuttaMySpace - The Anti-Social Network
An RFID tag is the same as any user input and can not be trusted. When your applications are programmed with this in mind from the start this shouldnt be a problem.
But ofcourse there are nowadays lots of websites which are vurnerable for sql injection and similiar hacks. Even google had a cross site scriptiog exploit.
200GB/2TB $7.95 Coupon: SAVE90DOLLAR
Only if the dimwits writing the RFID reading software are stupid enough to treat all rfid readings as 100% trustable OR does something stupid like allow scripting.
I can see a buffer overflow if your rfid is capable of generating a string massively larger than a normal rfid.
Outside of a SQL injection to get past a really poorly designed RFID reading application or plain stupidity in the RFID reading software part I can not see any way for a RFID to get the host reading PC to execute the code inside it.
It has nothing to do with the "evilness of RFID" and with the stupidity of the backend. An RFID tag is just a string of text. It's up to the backend application to sort it out.
This really is no different than replacing the barcodes on packages.
Tom
Someday, I'll have a real sig.
I think what he's asking is: does the badge record the leaving time as well as the arrival time? This is a problem where I work as well...the badge records when you come in, but doesn't record when you leave, so it doesn't matter if you stay late to finish a project...all the management cares about is when you got there in the morning.
I don't work late anymore.
____
~ |rip/\/\aster /\/\onkey
By itself RFID could be insecure. But you could retain its simplicity and its advantages (extends reading to a couple meters; longer number ID) with a second layer of security.
For example at one urban college library they put the cardholders' face immediately on the screen. The cardholder could have a fake ID or borrowed a friends, but its much harder to fake a face image. And a image is much easier for the guard to process than some descriptive text. Likewise the RFID code reader could flash an image of the product to the cashier or warehouse clerk as secondary identification.
This may be true but I still pay by check though I'm considering moving to cash, just like I do for gas. Cash only.
Yeah, it drives the credit agencies nuts because they can't track my credit history because I almost never have a credit bill (excluding my monthly ISP charge). The best they can do is see that I pay all my bills (electric, cable, etc) on time.
Merchants are certainly stymied because they can't gather enough information on me so they can't send me their snail mail spam.
No, I'm not paranoid. I just hate debt. Debt is evil. It sucks the life out of ones finances and inhibits the accumulation of wealth.
Granted, the current administration doesn't understand this but that's a whole other issue.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
In 2 years you'll get a discount for paying with your card (or pay more for cash, even though they'll still call it a discount).
In 5 years you won't get anything at a huge supermarket chain anymore without card. Won't work? People will refuse to shop there? Think of some of the huge outlets that only let you IN when you got a card and go figure.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Except these dimwits DO treat RFIDs as trustable.
Not 'evil', just dumb. RFID reader is an insecure input device like any other, and you don't even need physical access to use it. But it seems nobody thought of preparing a barcode that could crash the cash register, recording a magnetic card that would infect the security system, etc. Some devices are thought to be too simple to mean danger - wrongly. I remember some old Atari games that would crash or misbehave if you'd open the joystick and pressed "left" and "right" simultaneously. I burnt electronics of a RC toy car by telling it to go forward and back at the same time. Got a motorbike to run backward by starting the engine by pushing it backwards. Managed to crash my cell phone by buffer overflow at battery load level sensor (it WAS a software failure!) Got a CD tray to stop halfway by simultaneously pressing the eject key and sending eject commands from the computer.
A toggle switch can be ballanced in the middle position. A pushbutton can be softly pressed make a spark-gap. Unconnected lines can be shorted. Even a single-bit input device cannot be trusted.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
Scenario: Someone working at the IT department of a shop (thus having inside knowledge of the system) gets fired and wants to harm the shop. The shop will make damn sure that he will not have access to the system afterwards (and let's assume that network access is well protected, too). However, he may well be able to smuggle a malicious RFID tag into the shop. There it lies, unnoticed, until a few days later some unsuspecting customer buys the item thus tagged. As soon as the tag is read by the scanner, the attack happened.
The Tao of math: The numbers you can count are not the real numbers.
"A lot of good comments have already been made here, but I'm surprised nobody has commented yet on something that seems obvious: if you're going to hack into a system, you have to know a little bit about the system first."
You're 100% right, but there will emerge from 1 to 3 dominant vendors of backend RFID systems, and they will be deployed in many places, many people will have knowledge of these systems, and help to learn about their underlying architecture will likely be found right on the vendor's website, or only a couple Google searches away. Like every other system out there, there will be a few weird custom jobs, but most of it will be off-the-shelf software that thousands of organizations use.
Today's theoretical often winds up being tomorrow's practical.