Slashdot Mirror

← Back to Stories (view on slashdot.org)

Virus Jumps to RFID

Posted by ryuzaki0 on

MrShaggy writes "According to a BBC article, researchers have been able to make the jump between RFID tags and viruses. They found that the mere act of scanning a mere 127 bytes could cause an attack vector that would corrupt databases. From the article;'"This is intended as a wake-up call," said Andrew Tanenbaum, one of the researchers in the computer science department at Amsterdam's Free University that did the work revealing the weaknesses on smart tags. "We ask the RFID industry to design systems that are secure," he said.'"

4 of 109 comments (clear)

  1. FUD? by LiquidCoooled · · Score: 5, Insightful

    Hang on a minute, in this case the tag is not the problem.
    It is the software running on the host machine which does not validate the data coming from the tag that has major issues.

    If I can corrupt a database by entering an invalid lookup code then theres something severely fucked up.
    My bet is its something like the sql injection attacks we see on the web, and you don't see people blaming the input box in those cases.

    quote from the article:

    In some cases, said the researchers, viruses could be spread by household pets such as cats and dogs that are injected with the tags to help identify their owner.

    The pets aren't going to be spreading this "virus" themselves its not sexually transmitted, it cannot be passed by rubbing up against your leg. It will be the vets computer which gets infected because of crappy validation.

    MEOOOOOOOOEEEEEEEEOOOOOOOOOOOWWWWWWWWWWWWW!

    Charlie says: always validate your external inputs before doing any data processing.

    Smart tags, dumb research.

    (and thats coming from someone who doesn't like RFID)

    --
    liqbase :: faster than paper
    1. Re:FUD? by andrewman327 · · Score: 4, Insightful

      I could not agree more. I fail to see how (in this case) RFID tags are any more dangerous than barcodes. This should be a wakeup call to developers to remember to include basic validation and error catching into their programs. Just because it is new and flashy, some people think it is a panacea that has no problems. I have learned always to write code remembering Murphy's Law because in computer science, everything does go wrong at one point or another. This story should not make people stop using tags, but it is always worth asking your vendor about security, especially if you are implementing an RFID system.

      --
      Information wants a fueled airplane waiting at the hangar and no one gets hurt.
    2. Re:FUD? by Z0mb1eman · · Score: 4, Insightful

      I agree that was my first (knee-jerk?) reaction after reading the somewhat FUD-ish summary. However:

      "We ask the RFID industry to design systems that are secure"

      If the "RFID industry" creates the reader software as well, and if the vulnerability is in that reader software (which is what it sounds like), then the criticism is perfectly valid.

      FTA:

      ""Everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software and certainly not in a malicious way. Unfortunately, they are wrong," wrote the trio in their research paper."

      and

      "The researchers urged companies working on RFID systems to start thinking seriously about security measures to protect against future threats."

      No one's really saying the tags are inherently insecure, any more than they might say that a floppy disk or a CD are insecure. If the reader software currently has many vulnerabilities, no matter how obvious it might seem in hindsight, this seems like valuable research to me.

      --
      ClutterMe.com - easiest site creation on the Net. Just click and type.
  2. Re:Like the JPEG "virus" by Anonymous Coward · · Score: 5, Insightful

    Absolutely. This is just like the Windows JPEG "virus" that was due to buggy JPEG parsing. Describing RFIDs as an attack vector is appropriate, but inert data can not be a virus.

    Inert data can certainly be a virus: that's especially true in biology, where the entire virus metaphor arose in the first place. After all, virus is an piece of inert genetic data. When in contact with a live host, it alters the behaviour of the host; but without a host system to carry it, viruses are inert. Some people like to characterize them as the boundry case between "living" and "non-living": they're an inert substance that alter living beings in a self-replicating way to make more of themselves; in that sense, they "reproduce", despite not being "alive".[1]

    As for your original point, you're right that it's probably not correct to call RFID tag exploits "viruses": but not because viruses are inert. It's because the RFID virus is not being copied on by the host system it contacts; although, it sounds like it should be possible to craft a virus that does, assuming you could infect the RFID code writing software.

    --
    AC
    [1] People debate terms like "alive", "dead", "reproduce" for hours on end, until they realize they're arguing over definitions, which by definition is pointless....