Slashdot Mirror

← Back to Stories (view on slashdot.org)

Virus Jumps to RFID

Posted by ryuzaki0 on

MrShaggy writes "According to a BBC article, researchers have been able to make the jump between RFID tags and viruses. They found that the mere act of scanning a mere 127 bytes could cause an attack vector that would corrupt databases. From the article;'"This is intended as a wake-up call," said Andrew Tanenbaum, one of the researchers in the computer science department at Amsterdam's Free University that did the work revealing the weaknesses on smart tags. "We ask the RFID industry to design systems that are secure," he said.'"

6 of 109 comments (clear)

  1. Makes me kind of glad by mcguiver · · Score: 2, Interesting

    I am glad that the viruses have started coming out for RFID devices before they started implanting them in my head. But it doesn't suprise me that people were able to find a way to create a virus for them. Hopefully it will cause those who are thinking about using RFID in everything (implanting in people, using as gun safety devices etc...)to reconsider before doing a wide distribution.

    I, for one, would rather not have electronics malfunctioning in my body. Sometimes I have a hard enough time just keeping my body functioning. Who knows, before too long we may need to staff doctors and engineers in hospitals.

  2. Like the JPEG "virus" by kherr · · Score: 4, Interesting

    It is the software running on the host machine which does not validate the data coming from the tag that has major issues.

    Absolutely. This is just like the Windows JPEG "virus" that was due to buggy JPEG parsing. Describing RFIDs as an attack vector is appropriate, but inert data can not be a virus. You typically don't execute images or identification information. Perhaps there needs to be some catchy name for this type of attack, but really it's just a new example of the common overflow bug.

  3. Re:Good thing this was not in the US by andrewman327 · · Score: 2, Interesting
    What does hat color have to do with how evil someone is? Lock them up for their hacking ways! [/sarcasm]


    While I doubt that anyone would have been charged for this in the USA, I agree that the DMCA hampers some meaningful research. To be fair, however, all this project did was prove something that most of us could have figured out on our own: GIGO!

    --
    Information wants a fueled airplane waiting at the hangar and no one gets hurt.
  4. Re:FUD? by StarvingSE · · Score: 3, Interesting

    This is very different from barcodes. A barcode has to be manually scanned, so you know when a system is reading the information and you can do (probably minimal) research into whether the software reading the barcode is secure enough to handle your personal data.

    The trouble with RFID is that anyone scanning can pick up your tag without you knowing about it. This includes secure and non-secure software. If 99% of software reading these tags are secure, there is still that 1% that isn't and you wouldn't know that it picked up your personal info until you get the bogus credit card bills in the mail.

    --
    I got nothin'
  5. No expects an RFID tag to send a SQL injection... by rickkas7 · · Score: 3, Interesting
    From the real paper: "No one currently expects an RFID tag to send a SQL injection attack or a buffer overflow."

    I think the point of the research is that many RFID tags are read by closed or theortically isolated systems like inventory control devices and pet identity scanners that probably have not been examined for the kinds of vulnerabilities that we (theoretically) look for Internet accessible servers.

    While we have a mediocre system for updating Internet-based applications in the face of vulnerabilties, the prospect of updating piles of non-Internet accessible devices is indeed an issue.

  6. Maybe they're trying to hide the real problems by iabervon · · Score: 2, Interesting

    It's possible that they put a virus on an RFID tag. You can also put a virus in a newspaper or transmit it by reading out a bunch of numbers. But that doesn't mean it will be received in a form that makes it do anything. Presumably, they've found a bug in some RFID-processing software similar to the bugs in lots of data-processing software. Of course, RFID systems are more likely to be completely immune to this sort of input-validation issue, because they're often designed to be full-packet binary database keys, and there is no invalid input that the reader can produce (sort of like how US postal bar codes always read as 11-digit numbers, and, while some of those numbers aren't used, they're always either a real place or no place, not something that breaks the system.

    The real security issue is that it's trivial to clone an RFID tag. Using it for identification is like using a piece of paper that can be photocopied, except that the attacker doesn't have to swipe the paper to copy it. But if people only think about the non-fundamental and insignificant flaws with RFID, they can be distracted from the fact that it's entirely inappropriate in the first place.