Slashdot Mirror

← Back to Stories (view on slashdot.org)

Virus Jumps to RFID

Posted by ryuzaki0 on

MrShaggy writes "According to a BBC article, researchers have been able to make the jump between RFID tags and viruses. They found that the mere act of scanning a mere 127 bytes could cause an attack vector that would corrupt databases. From the article;'"This is intended as a wake-up call," said Andrew Tanenbaum, one of the researchers in the computer science department at Amsterdam's Free University that did the work revealing the weaknesses on smart tags. "We ask the RFID industry to design systems that are secure," he said.'"

8 of 109 comments (clear)

  1. FUD? by LiquidCoooled · · Score: 5, Insightful

    Hang on a minute, in this case the tag is not the problem.
    It is the software running on the host machine which does not validate the data coming from the tag that has major issues.

    If I can corrupt a database by entering an invalid lookup code then theres something severely fucked up.
    My bet is its something like the sql injection attacks we see on the web, and you don't see people blaming the input box in those cases.

    quote from the article:

    In some cases, said the researchers, viruses could be spread by household pets such as cats and dogs that are injected with the tags to help identify their owner.

    The pets aren't going to be spreading this "virus" themselves its not sexually transmitted, it cannot be passed by rubbing up against your leg. It will be the vets computer which gets infected because of crappy validation.

    MEOOOOOOOOEEEEEEEEOOOOOOOOOOOWWWWWWWWWWWWW!

    Charlie says: always validate your external inputs before doing any data processing.

    Smart tags, dumb research.

    (and thats coming from someone who doesn't like RFID)

    --
    liqbase :: faster than paper
    1. Re:FUD? by andrewman327 · · Score: 4, Insightful

      I could not agree more. I fail to see how (in this case) RFID tags are any more dangerous than barcodes. This should be a wakeup call to developers to remember to include basic validation and error catching into their programs. Just because it is new and flashy, some people think it is a panacea that has no problems. I have learned always to write code remembering Murphy's Law because in computer science, everything does go wrong at one point or another. This story should not make people stop using tags, but it is always worth asking your vendor about security, especially if you are implementing an RFID system.

      --
      Information wants a fueled airplane waiting at the hangar and no one gets hurt.
    2. Re:FUD? by Z0mb1eman · · Score: 4, Insightful

      I agree that was my first (knee-jerk?) reaction after reading the somewhat FUD-ish summary. However:

      "We ask the RFID industry to design systems that are secure"

      If the "RFID industry" creates the reader software as well, and if the vulnerability is in that reader software (which is what it sounds like), then the criticism is perfectly valid.

      FTA:

      ""Everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software and certainly not in a malicious way. Unfortunately, they are wrong," wrote the trio in their research paper."

      and

      "The researchers urged companies working on RFID systems to start thinking seriously about security measures to protect against future threats."

      No one's really saying the tags are inherently insecure, any more than they might say that a floppy disk or a CD are insecure. If the reader software currently has many vulnerabilities, no matter how obvious it might seem in hindsight, this seems like valuable research to me.

      --
      ClutterMe.com - easiest site creation on the Net. Just click and type.
    3. Re:FUD? by LiquidCoooled · · Score: 5, Informative

      If the tag data is expected to be an alphanumeric code to represent the customer: Slashdot_LiquidCoooled_634315

      this can be used (incorrectly) to produce a raw piece of SQL:

      select * from Customers where Code='Slashdot_LiquidCoooled_634315'

      if that code contains quotes and they are not being handled correctly then it is certainly possible to corrupt the database.

      Suppose my RFID was programmed with something like this and it was not being validated correctly:

      '; Drop table [customers];

      The resulting SQL could end up something like:

      select * from Customers where Code=''; Drop table [customers];'

      bye bye customers table (if permissions set at defaults and the wind is blowing your way)

      --
      liqbase :: faster than paper
  2. Like the JPEG "virus" by kherr · · Score: 4, Interesting

    It is the software running on the host machine which does not validate the data coming from the tag that has major issues.

    Absolutely. This is just like the Windows JPEG "virus" that was due to buggy JPEG parsing. Describing RFIDs as an attack vector is appropriate, but inert data can not be a virus. You typically don't execute images or identification information. Perhaps there needs to be some catchy name for this type of attack, but really it's just a new example of the common overflow bug.

    1. Re:Like the JPEG "virus" by Anonymous Coward · · Score: 5, Insightful

      Absolutely. This is just like the Windows JPEG "virus" that was due to buggy JPEG parsing. Describing RFIDs as an attack vector is appropriate, but inert data can not be a virus.

      Inert data can certainly be a virus: that's especially true in biology, where the entire virus metaphor arose in the first place. After all, virus is an piece of inert genetic data. When in contact with a live host, it alters the behaviour of the host; but without a host system to carry it, viruses are inert. Some people like to characterize them as the boundry case between "living" and "non-living": they're an inert substance that alter living beings in a self-replicating way to make more of themselves; in that sense, they "reproduce", despite not being "alive".[1]

      As for your original point, you're right that it's probably not correct to call RFID tag exploits "viruses": but not because viruses are inert. It's because the RFID virus is not being copied on by the host system it contacts; although, it sounds like it should be possible to craft a virus that does, assuming you could infect the RFID code writing software.

      --
      AC
      [1] People debate terms like "alive", "dead", "reproduce" for hours on end, until they realize they're arguing over definitions, which by definition is pointless....

  3. Erm by LordPhantom · · Score: 4, Informative

    2 words - Input Validation

    This article can be summed up in the following sentance:

    OH NO! Anyone can put ANYTHING on a tag that might be read by database software! Horrors!

    C'mon people, this is basic data security 101 - never trust inputs without validation. This isn't a problem with insecure tags, it's a problem with import software/database code.

  4. The full article -- it's legit by davecb · · Score: 4, Informative

    There is a PDF and also a complete discussion at http://www.rfidvirus.org/virus.html, breifly outlining "Replication Using Self-Referential Queries" and "Replication Using Quines".

    For example,
    Database systems usually offer a way to obtain the currently running queries for system administration purposes. However, these functions return queries as an normal string, which makes it possible to store them in the database, thereby replicating the query.

    We have developed two versions of the virus, one that is contained in a single query, and one the requires multiple queries. The virus using a single query requires less features from the database, but cannot carry SQL code as a payload. The virus using multiple queries requires a database that supports this, but it does allow SQL code as a payload.

    Details on the virus using self-referential queries can be found athttp://www.rfidvirus.org/exploits/sql_self/index .html

    --
    davecb@spamcop.net