Slashdot Mirror
Virus Jumps to RFID
MrShaggy writes "According to a BBC article, researchers have been able to make the jump between RFID tags and viruses. They found that the mere act of scanning a mere 127 bytes could cause an attack vector that would corrupt databases. From the article;'"This is intended as a wake-up call," said Andrew Tanenbaum, one of the researchers in the computer science department at Amsterdam's Free University that did the work revealing the weaknesses on smart tags.
"We ask the RFID industry to design systems that are secure," he said.'"
Hang on a minute, in this case the tag is not the problem.
It is the software running on the host machine which does not validate the data coming from the tag that has major issues.
If I can corrupt a database by entering an invalid lookup code then theres something severely fucked up.
My bet is its something like the sql injection attacks we see on the web, and you don't see people blaming the input box in those cases.
quote from the article:
In some cases, said the researchers, viruses could be spread by household pets such as cats and dogs that are injected with the tags to help identify their owner.
The pets aren't going to be spreading this "virus" themselves its not sexually transmitted, it cannot be passed by rubbing up against your leg. It will be the vets computer which gets infected because of crappy validation.
MEOOOOOOOOEEEEEEEEOOOOOOOOOOOWWWWWWWWWWWWW!
Charlie says: always validate your external inputs before doing any data processing.
Smart tags, dumb research.
(and thats coming from someone who doesn't like RFID)
liqbase
They could have been sued for violation of the DMCA. We don't want any weaknesses exposed by researchers in the early stages... we'd rather have them exposed maliciously after its too late!
http://religiousfreaks.com/This is a good example of how people will sometimes trust data that isn't trustworthy at all.
I'd be willing to bet that someone with enough cleverness and free time could come up with a 'credit card virus' that could compromise specific vulnerable payment systems/credit card processing devices when swiped. For all we know, there may already be such exploits out there now. At least in the case of credit card processing, it's financial code so hopefully there are some stringent security processes along with multiple layers of verification, but still - pretty scary to think about.
using namespace slashdot;
troll::post();
If you merely store and read data - ANY DATA - and do not interpret it, it cannot carry a virus.
The minute you start interpreting data you have to treat it as potentially hostile. This goes for computers AND people. There's not much difference between a "hostile" data-set that the attacker knows will be interpreted as SQL code that he can use to corrupt an automated-supply-ordering system, a hostile data set that the attacker knows will be interpreted as a false we-are-low-on-inventory-order-more or we-have-enough-inventory-don't-order-more tag by a an automated-ordering system, and a hostile data set that the attacker knows will cause a human being to falsely think inventory is low or high and act accordingly.
BTW, the latter is easy enough to do: replace RFID tags that say "quantity 1 unit" with "quantity 1 pallet of 200 units" or vice-versa and hope no input-validating-computer or -person notices.
To borrow a phrase, "Garbage in, garbage out."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
As much as I distrust RFIDs, and as much as I detest the way they are being used, this is a problem of the backend, not the RFID itself. It's an ancient problem of databases with data injection that has been used for years now, on the internet, to inject data into online databases or to mess with them generally.
It's not really new news either. I think I remember that report from about a year ago when RFIDs in our passports became an issue and Tanenbaum raised those concerns. So is this something new or do the old news get repeated for a lack of anything new?
Must be summer, all the politicians are on holiday...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Just imagine what they could do with a mere half a megabyte.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
How's about "programmer dumbass attack"? Seems quite apt, to me. Any programmer worth his salt knows that he has to check for invalid data, yet so many software developers (both open source and closed source) let code go to production levels that fails to perform even the most basic of validations.
Maybe we need to send a bunch of programmers back to basic training! "Security boot camp"! Only let's make it real tough: make them all write basic currency conversion programs and for every piece of invalid data that makes it through without being validated, that program's author loses a finger! That'll teach 'em!
My blog
Absolutely. This is just like the Windows JPEG "virus" that was due to buggy JPEG parsing. Describing RFIDs as an attack vector is appropriate, but inert data can not be a virus.
Inert data can certainly be a virus: that's especially true in biology, where the entire virus metaphor arose in the first place. After all, virus is an piece of inert genetic data. When in contact with a live host, it alters the behaviour of the host; but without a host system to carry it, viruses are inert. Some people like to characterize them as the boundry case between "living" and "non-living": they're an inert substance that alter living beings in a self-replicating way to make more of themselves; in that sense, they "reproduce", despite not being "alive".[1]
As for your original point, you're right that it's probably not correct to call RFID tag exploits "viruses": but not because viruses are inert. It's because the RFID virus is not being copied on by the host system it contacts; although, it sounds like it should be possible to craft a virus that does, assuming you could infect the RFID code writing software.
--
AC
[1] People debate terms like "alive", "dead", "reproduce" for hours on end, until they realize they're arguing over definitions, which by definition is pointless....
I just wanted to point out that the "Computer Science professor" mentioned in the /. blurb is "The" Andrew S. Tannenbaum, inventor of minix, and author of several textbooks used in Computer Science programs nationwide.
Personally, I would not have posted that article without attaching these links. Tannenbaum is a key player in modern computer science research and education.
Check out his homepage
and his Wiki biography.
Perhaps there needs to be some catchy name for this type of attack
How about "poison" instead of "virus", since its presence may cause illness or death but does not self replicate. As in "attackers injected poison RFID tags into system, which is now inoperable until repairs are made."
The tag in your head wouldn't be the problem. All the tag in your head does is say, "I AM HERE" when exposed to a magnetic field-- it does not receive anything. It's not even a virus in the classical, computer science sense -- more like fitting a square peg in a round hole. You might be able to do it, but you'll probably break the hole doing so. That's not the fault of the peg (the RFID chip), but rather the person (the software) not recognizing what is garbage data. Thus, if a malicious person knows a particular SCANNING device is susceptible to bad input errors, they could write an RFID tag to screw up that machine.
The problem is in the software which hears the message broadcast by the chip. The software could be poorly coded so that the device READING your chip can crash if it doesn't understand the message your chip is broadcasting.
So directly speaking, you wouldn't keel over and die from an RFID "virus". However, you would probably want to stay away from an RFID scanning robot that could tear your head off thinking it's a package to put on the conveyor belt.