Slashdot Mirror

← Back to Stories (view on slashdot.org)

Virus Jumps to RFID

Posted by ryuzaki0 on

MrShaggy writes "According to a BBC article, researchers have been able to make the jump between RFID tags and viruses. They found that the mere act of scanning a mere 127 bytes could cause an attack vector that would corrupt databases. From the article;'"This is intended as a wake-up call," said Andrew Tanenbaum, one of the researchers in the computer science department at Amsterdam's Free University that did the work revealing the weaknesses on smart tags. "We ask the RFID industry to design systems that are secure," he said.'"

3 of 109 comments (clear)

  1. Like the JPEG "virus" by kherr · · Score: 4, Interesting

    It is the software running on the host machine which does not validate the data coming from the tag that has major issues.

    Absolutely. This is just like the Windows JPEG "virus" that was due to buggy JPEG parsing. Describing RFIDs as an attack vector is appropriate, but inert data can not be a virus. You typically don't execute images or identification information. Perhaps there needs to be some catchy name for this type of attack, but really it's just a new example of the common overflow bug.

  2. Re:FUD? by StarvingSE · · Score: 3, Interesting

    This is very different from barcodes. A barcode has to be manually scanned, so you know when a system is reading the information and you can do (probably minimal) research into whether the software reading the barcode is secure enough to handle your personal data.

    The trouble with RFID is that anyone scanning can pick up your tag without you knowing about it. This includes secure and non-secure software. If 99% of software reading these tags are secure, there is still that 1% that isn't and you wouldn't know that it picked up your personal info until you get the bogus credit card bills in the mail.

    --
    I got nothin'
  3. No expects an RFID tag to send a SQL injection... by rickkas7 · · Score: 3, Interesting
    From the real paper: "No one currently expects an RFID tag to send a SQL injection attack or a buffer overflow."

    I think the point of the research is that many RFID tags are read by closed or theortically isolated systems like inventory control devices and pet identity scanners that probably have not been examined for the kinds of vulnerabilities that we (theoretically) look for Internet accessible servers.

    While we have a mediocre system for updating Internet-based applications in the face of vulnerabilties, the prospect of updating piles of non-Internet accessible devices is indeed an issue.