RFID & Viral Vulnerability 136
Arleo writes "Student Melanie Rieback and others, part of a Tannenbaum research group in Amsterdam, have proven that RFID-tags are vulnerable for infection with viruses. In a research paper titled
"Is Your Cat Infected with a Computer Virus?" is shown how an altered RFID tag can be used to send a SQL injection attack or a buffer overflow. They describe on the rfidvirus.org website possible exploits of this types of viruses: from altering the backoffice of a supermarket to spreading RFID viruses by infected bags on airports."
Re:My question is why? (Score:2, Informative)
Re:Virus? I think not. (Score:2, Informative)
At that point, I'd be more afraid of the EM emissions than any RFID dastardliness.
Re:Virus? I think not. (Score:4, Informative)
From the linked pdf: To prove our point, this paper will present the first self-replicating RFID virus.
So, um, yeah. Maybe, just maybe, you should RTFA. I know, I know. Pipedream.
Why we switched - save you money (Score:2, Informative)
http://www.illinoistollway.com/portal/page?_pagei
http://www.ezpassde.com/ [ezpassde.com]
http://www.sunpass.com/ [sunpass.com]
http://www.prepass.com/ [prepass.com]
Weight in motion, which usually uses RFID;
http://science.howstuffworks.com/question626.htm [howstuffworks.com]
We've been doing RFID since 1996. It's not new technology. We are just talking about new applications.
Re:RFID Software vulnerabilities (Score:4, Informative)
I'm not sure you understand how RFID tags work. There are a variety of standards on how RFID tags are encoded, all of which break down into partitioning the tag's data into segments to form the unique identifier
For the sake of argument I'll use EPC SGTIN96. In the SGTIN tag has four partitions: Filter, Company Prefix, Item Reference, and Serial Number. Each of these fields is of varying size depending on how big tag is. Typically RFID tags are 96 bits (although some tags can get up to 1Kbit), even using 7 bit ascii there's not a whole lot you can fit in 96 bits. When I poll the reader, or the middleware I'm getting back a number, e.g. 12345 and it's my responsibility to parse through that number to get the fields I'm interested in. In this scenario I would have to be doing some *very* sloppy programming to open myself to an SQL injection attack (something along the lines of treating known numeric data as a string).
ISO and EPC Gen 2 tags do support custom data, which I suppose could be used to store strings but since it is severely space constrained (typically in the range of 2-32 bytes) I question the viability of such an attack. Not to mention that the field will likely be used to writing in ids instead of human readable data. Finally, it is common to encrypt the custom payload on an rfid tag. So even if somebody were to change it to "AND 1 = 1" it would be caught when the program tries to decrypt the tag.