Virus Jumps to RFID

MrShaggy writes "According to a BBC article, researchers have been able to make the jump between RFID tags and viruses. They found that the mere act of scanning a mere 127 bytes could cause an attack vector that would corrupt databases. From the article;'"This is intended as a wake-up call," said Andrew Tanenbaum, one of the researchers in the computer science department at Amsterdam's Free University that did the work revealing the weaknesses on smart tags. "We ask the RFID industry to design systems that are secure," he said.'"

FUD?

[LiquidCoooled]

Hang on a minute, in this case the tag is not the problem.
It is the software running on the host machine which does not validate the data coming from the tag that has major issues.

If I can corrupt a database by entering an invalid lookup code then theres something severely fucked up.
My bet is its something like the sql injection attacks we see on the web, and you don't see people blaming the input box in those cases.

quote from the article:

In some cases, said the researchers, viruses could be spread by household pets such as cats and dogs that are injected with the tags to help identify their owner.

The pets aren't going to be spreading this "virus" themselves its not sexually transmitted, it cannot be passed by rubbing up against your leg. It will be the vets computer which gets infected because of crappy validation.

MEOOOOOOOOEEEEEEEEOOOOOOOOOOOWWWWWWWWWWWWW!

Charlie says: always validate your external inputs before doing any data processing.

Smart tags, dumb research.

(and thats coming from someone who doesn't like RFID)

Re:FUD?

[LiquidCoooled]

If the tag data is expected to be an alphanumeric code to represent the customer: Slashdot_LiquidCoooled_634315

this can be used (incorrectly) to produce a raw piece of SQL:

select * from Customers where Code='Slashdot_LiquidCoooled_634315'

if that code contains quotes and they are not being handled correctly then it is certainly possible to corrupt the database.

Suppose my RFID was programmed with something like this and it was not being validated correctly:

'; Drop table [customers];

The resulting SQL could end up something like:

select * from Customers where Code=''; Drop table [customers];'

bye bye customers table (if permissions set at defaults and the wind is blowing your way)

Re:Like the JPEG "virus"

Absolutely. This is just like the Windows JPEG "virus" that was due to buggy JPEG parsing. Describing RFIDs as an attack vector is appropriate, but inert data can not be a virus.

Inert data can certainly be a virus: that's especially true in biology, where the entire virus metaphor arose in the first place. After all, virus is an piece of inert genetic data. When in contact with a live host, it alters the behaviour of the host; but without a host system to carry it, viruses are inert. Some people like to characterize them as the boundry case between "living" and "non-living": they're an inert substance that alter living beings in a self-replicating way to make more of themselves; in that sense, they "reproduce", despite not being "alive".[1]

As for your original point, you're right that it's probably not correct to call RFID tag exploits "viruses": but not because viruses are inert. It's because the RFID virus is not being copied on by the host system it contacts; although, it sounds like it should be possible to craft a virus that does, assuming you could infect the RFID code writing software.

--
AC
[1] People debate terms like "alive", "dead", "reproduce" for hours on end, until they realize they're arguing over definitions, which by definition is pointless....