Slashdot Mirror
RFID & Viral Vulnerability
Arleo writes "Student Melanie Rieback and others, part of a Tannenbaum research group in Amsterdam, have proven that RFID-tags are vulnerable for infection with viruses. In a research paper titled
"Is Your Cat Infected with a Computer Virus?" is shown how an altered RFID tag can be used to send a SQL injection attack or a buffer overflow. They describe on the rfidvirus.org website possible exploits of this types of viruses: from altering the backoffice of a supermarket to spreading RFID viruses by infected bags on airports."
Fascinating stuff, but it seems that the game plan for protecting against RFID malware is basically the same as protecting against more traditional malware...namely, enforcing proper bounds checking, enforcing proper database permissions heirarchies, disabling back-end scripting languages, isolating the vulnerable RFID middleware server in a proper DMZ environment, etc.
In other words, RFID malware has just as bright a future as the more traditional flavor, since most developers and administrators can't be bothered to take these elementary precautions.
____
~ |rip/\/\aster /\/\onkey
Student Melanie Rieback and others, part of a Tannenbaum research group in Amsterdam, have proven that RFID-tags are vulnerable for infection with viruses.
American oak tree research groups and Swedish aspen tree research groups have responded by working around the clock to fix this security hole. Never before have groups centered on deciduous trees been so involved in computer security.
My work here is dung.
I don't understand why we _have_ to use RFID at all. I understand it may make some things easier, but aren't we efficient enough? In these days where security is becoming more and more of an issue, why even creating another security issue when the old way still works. Is tracking something via a barcode scanning system really so inefficient that we need RFID? I don't understand, we seem to be pretty efficient in most industries already, why do we need to squeeze another cent an hour out by using some new and relatively unproven technology when the old way works just fine?
Judges and senates have been bought for gold; Esteem and love were never to be sold.
From rfidvirus.org: Here is where the trouble comes in. Up until now, everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software, and certainly not in a malicious way. Unfortunately, they are wrong. In our research, we have discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be (intentionall) infected with a virus and this virus can infect the backend database used by the RFID software. From there it can be easily spread to other RFID tags. No one thought this possible until now. Later in this website we provide all the details on how to do this and how to defend against it in order to warn the designers of RFID systems not to deploy vulnerable systems.
So to sum up, if some programmer doesn't do his/her job, the RFID tag they plan on implanting in our passports could be used as delivery devices to compromise computer systems around the globe.
I'm going to rate this a pretty big if, though, as we know from all the patching going on, the probability is very high. RFID software is going to have to be thoroughly tested and watched like a hawk. Undoubtedly there's going to come a point where if one or two of these viruses get out and something newsworthy happens (airport computers crash, Citigroup gets credit card data stolen, etc.), the whole idea of RFID tags everywhere is going to get a serious black eye.
GetOuttaMySpace - The Anti-Social Network
"the virus on its tag infects the supermarket's product database, potentially wreaking all kinds of havoc such as changing prices."
Free beer anyone?
An RFID tag is the same as any user input and can not be trusted. When your applications are programmed with this in mind from the start this shouldnt be a problem.
But ofcourse there are nowadays lots of websites which are vurnerable for sql injection and similiar hacks. Even google had a cross site scriptiog exploit.
200GB/2TB $7.95 Coupon: SAVE90DOLLAR
If the SQL injection or buffer overrun instructs the middleware system to overwrite all RFID tags subsequently scanned with the exploit code, that's pretty self-replicating, isn't it?
____
~ |rip/\/\aster /\/\onkey
Only if the dimwits writing the RFID reading software are stupid enough to treat all rfid readings as 100% trustable OR does something stupid like allow scripting.
I can see a buffer overflow if your rfid is capable of generating a string massively larger than a normal rfid.
Outside of a SQL injection to get past a really poorly designed RFID reading application or plain stupidity in the RFID reading software part I can not see any way for a RFID to get the host reading PC to execute the code inside it.
It has nothing to do with the "evilness of RFID" and with the stupidity of the backend. An RFID tag is just a string of text. It's up to the backend application to sort it out.
This really is no different than replacing the barcodes on packages.
Tom
Someday, I'll have a real sig.
I think what he's asking is: does the badge record the leaving time as well as the arrival time? This is a problem where I work as well...the badge records when you come in, but doesn't record when you leave, so it doesn't matter if you stay late to finish a project...all the management cares about is when you got there in the morning.
I don't work late anymore.
____
~ |rip/\/\aster /\/\onkey
When he opens his box and finds that the poison is not let out, but the cat is still not alive (um, probably "dead anyway", to avoid unnecessary confusion in this matter (i.e., it won't suddenly "quantum wake up")) after having catched a RFID virus.
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
This may be true but I still pay by check though I'm considering moving to cash, just like I do for gas. Cash only.
Yeah, it drives the credit agencies nuts because they can't track my credit history because I almost never have a credit bill (excluding my monthly ISP charge). The best they can do is see that I pay all my bills (electric, cable, etc) on time.
Merchants are certainly stymied because they can't gather enough information on me so they can't send me their snail mail spam.
No, I'm not paranoid. I just hate debt. Debt is evil. It sucks the life out of ones finances and inhibits the accumulation of wealth.
Granted, the current administration doesn't understand this but that's a whole other issue.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Good to know that the Mark of the Beast will be an insecure Mark indeed! Hell, I might even be able to hack it into a meer Mark of the Small Furry Critter.
In 2 years you'll get a discount for paying with your card (or pay more for cash, even though they'll still call it a discount).
In 5 years you won't get anything at a huge supermarket chain anymore without card. Won't work? People will refuse to shop there? Think of some of the huge outlets that only let you IN when you got a card and go figure.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Except these dimwits DO treat RFIDs as trustable.
Not 'evil', just dumb. RFID reader is an insecure input device like any other, and you don't even need physical access to use it. But it seems nobody thought of preparing a barcode that could crash the cash register, recording a magnetic card that would infect the security system, etc. Some devices are thought to be too simple to mean danger - wrongly. I remember some old Atari games that would crash or misbehave if you'd open the joystick and pressed "left" and "right" simultaneously. I burnt electronics of a RC toy car by telling it to go forward and back at the same time. Got a motorbike to run backward by starting the engine by pushing it backwards. Managed to crash my cell phone by buffer overflow at battery load level sensor (it WAS a software failure!) Got a CD tray to stop halfway by simultaneously pressing the eject key and sending eject commands from the computer.
A toggle switch can be ballanced in the middle position. A pushbutton can be softly pressed make a spark-gap. Unconnected lines can be shorted. Even a single-bit input device cannot be trusted.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
A lot of good comments have already been made here, but I'm surprised nobody has commented yet on something that seems obvious: if you're going to hack into a system, you have to know a little bit about the system first. You can't simply design some buffer overflow exploit and trust it will "hack" the back-end system. That seems awful "Independence Day"-ish - you know, writing a virus here on Earth that somehow magically attacks and shuts down an alien computer system. Makes for exciting movies (if you're not minimally smart about computers) but it never works in the real world.
In this case, it seems to me that if you know enough about both ends of the process, sure, you can develop some method to penetrate the system. Most malware authors have the benefit of working on a very well-known platform - the Windows PC - with known software (one of the limited numbers of email or browser programs). But attacking a back-end system like this is a much more dicey proposition - each large corporation probably will have its own back end, and may be running any of a dozen OS-and-database combinations.
So to benefit from this attack, it seems to me that the author has to be an insider to stand a ghost of a chance of success. If he's an insider, there are MUCH easier ways to penetrate the system.
As a result, while I have great concerns about RFID, this strikes me as FUD.
1) Develop complicated, application-specific RFID attack that would never be real-world useful
2) Write research paper spreading more fear about RFID
3) PROFIT! (or at least get a lot of attention)
--Brandon / Split Infinity Music
virus is a self-replicating program that spreads by inserting copies of itself into other executable code
From the linked pdf: To prove our point, this paper will present the first self-replicating RFID virus.
So, um, yeah. Maybe, just maybe, you should RTFA. I know, I know. Pipedream.
Your sig(k) has been stolen. There is a puff of smoke!
I'm not sure you understand how RFID tags work. There are a variety of standards on how RFID tags are encoded, all of which break down into partitioning the tag's data into segments to form the unique identifier
For the sake of argument I'll use EPC SGTIN96. In the SGTIN tag has four partitions: Filter, Company Prefix, Item Reference, and Serial Number. Each of these fields is of varying size depending on how big tag is. Typically RFID tags are 96 bits (although some tags can get up to 1Kbit), even using 7 bit ascii there's not a whole lot you can fit in 96 bits. When I poll the reader, or the middleware I'm getting back a number, e.g. 12345 and it's my responsibility to parse through that number to get the fields I'm interested in. In this scenario I would have to be doing some *very* sloppy programming to open myself to an SQL injection attack (something along the lines of treating known numeric data as a string).
ISO and EPC Gen 2 tags do support custom data, which I suppose could be used to store strings but since it is severely space constrained (typically in the range of 2-32 bytes) I question the viability of such an attack. Not to mention that the field will likely be used to writing in ids instead of human readable data. Finally, it is common to encrypt the custom payload on an rfid tag. So even if somebody were to change it to "AND 1 = 1" it would be caught when the program tries to decrypt the tag.
Oh, a lesson in history from Mr. I'm my own grandpa.