RFID & Viral Vulnerability 136
Arleo writes "Student Melanie Rieback and others, part of a Tannenbaum research group in Amsterdam, have proven that RFID-tags are vulnerable for infection with viruses. In a research paper titled
"Is Your Cat Infected with a Computer Virus?" is shown how an altered RFID tag can be used to send a SQL injection attack or a buffer overflow. They describe on the rfidvirus.org website possible exploits of this types of viruses: from altering the backoffice of a supermarket to spreading RFID viruses by infected bags on airports."
Bright Future for RFID malware. (Score:5, Insightful)
Fascinating stuff, but it seems that the game plan for protecting against RFID malware is basically the same as protecting against more traditional malware...namely, enforcing proper bounds checking, enforcing proper database permissions heirarchies, disabling back-end scripting languages, isolating the vulnerable RFID middleware server in a proper DMZ environment, etc.
In other words, RFID malware has just as bright a future as the more traditional flavor, since most developers and administrators can't be bothered to take these elementary precautions.
My question is why? (Score:3, Insightful)
Virus? I think not. (Score:2, Insightful)
In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents...-Wikipedia [wikipedia.org]
Mighty If-fy (Score:5, Insightful)
From rfidvirus.org: Here is where the trouble comes in. Up until now, everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software, and certainly not in a malicious way. Unfortunately, they are wrong. In our research, we have discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be (intentionall) infected with a virus and this virus can infect the backend database used by the RFID software. From there it can be easily spread to other RFID tags. No one thought this possible until now. Later in this website we provide all the details on how to do this and how to defend against it in order to warn the designers of RFID systems not to deploy vulnerable systems.
So to sum up, if some programmer doesn't do his/her job, the RFID tag they plan on implanting in our passports could be used as delivery devices to compromise computer systems around the globe.
I'm going to rate this a pretty big if, though, as we know from all the patching going on, the probability is very high. RFID software is going to have to be thoroughly tested and watched like a hawk. Undoubtedly there's going to come a point where if one or two of these viruses get out and something newsworthy happens (airport computers crash, Citigroup gets credit card data stolen, etc.), the whole idea of RFID tags everywhere is going to get a serious black eye.
Re:Bright Future for RFID malware. (Score:4, Insightful)
user input (Score:5, Insightful)
But ofcourse there are nowadays lots of websites which are vurnerable for sql injection and similiar hacks. Even google had a cross site scriptiog exploit.
Re:My question is why? (Score:5, Insightful)
Pure FUD (Score:4, Insightful)
I can see a buffer overflow if your rfid is capable of generating a string massively larger than a normal rfid.
Outside of a SQL injection to get past a really poorly designed RFID reading application or plain stupidity in the RFID reading software part I can not see any way for a RFID to get the host reading PC to execute the code inside it.
overhype (Score:5, Insightful)
This really is no different than replacing the barcodes on packages.
Tom
Re:Will this affect me? (Score:4, Insightful)
I think what he's asking is: does the badge record the leaving time as well as the arrival time? This is a problem where I work as well...the badge records when you come in, but doesn't record when you leave, so it doesn't matter if you stay late to finish a project...all the management cares about is when you got there in the morning.
I don't work late anymore.
Re:My question is why? (Score:5, Insightful)
1. Inventory, beeing able to know what is in your store and where it is in a retal setting.
Actually, according to a recent study, RFIDs are only about 90% accurate at best, for large palettes whizzing by on conveyor belts in a warehouse setting.
2. Convinence, things like being able to park a cart next to a teller and have all the items charged instantly.
See #1. I don't know any retailer that would abide by less than 99.999% accuracy. RFID does not meet this requirement at all.
3. RFID is already used sucessfuly for tracking pets and could be used to store medical data in people with alergies or other specal medical requirements, along with other personal data if the individual choses.
Let me say I'm scared of some of the potental abuses to, but there are upsides to this.
Now you're getting to the real meat of why some want RFID to take off. It's much easier to convince someone to accept an injection of a little chip than to be tattooed with a bar code, Henry Rollins not withstanding.
While it may be beneficial, the very reason it's beneficial is also why it's bad in an Orwellian sense. There is no way for this to be beneficial without the bad. You can't cover up an RFID, or make it inoperative, without impairing its usefulness when needed.
multiple security systems (Score:3, Insightful)
For example at one urban college library they put the cardholders' face immediately on the screen. The cardholder could have a fake ID or borrowed a friends, but its much harder to fake a face image. And a image is much easier for the guard to process than some descriptive text. Likewise the RFID code reader could flash an image of the product to the cashier or warehouse clerk as secondary identification.
Re:Porterhouse steaks at last! (Score:5, Insightful)
Yeah, it drives the credit agencies nuts because they can't track my credit history because I almost never have a credit bill (excluding my monthly ISP charge). The best they can do is see that I pay all my bills (electric, cable, etc) on time.
Merchants are certainly stymied because they can't gather enough information on me so they can't send me their snail mail spam.
No, I'm not paranoid. I just hate debt. Debt is evil. It sucks the life out of ones finances and inhibits the accumulation of wealth.
Granted, the current administration doesn't understand this but that's a whole other issue.
Re:Porterhouse steaks at last! (Score:4, Insightful)
In 5 years you won't get anything at a huge supermarket chain anymore without card. Won't work? People will refuse to shop there? Think of some of the huge outlets that only let you IN when you got a card and go figure.
Not pure FUD, just facts. (Score:5, Insightful)
Not 'evil', just dumb. RFID reader is an insecure input device like any other, and you don't even need physical access to use it. But it seems nobody thought of preparing a barcode that could crash the cash register, recording a magnetic card that would infect the security system, etc. Some devices are thought to be too simple to mean danger - wrongly. I remember some old Atari games that would crash or misbehave if you'd open the joystick and pressed "left" and "right" simultaneously. I burnt electronics of a RC toy car by telling it to go forward and back at the same time. Got a motorbike to run backward by starting the engine by pushing it backwards. Managed to crash my cell phone by buffer overflow at battery load level sensor (it WAS a software failure!) Got a CD tray to stop halfway by simultaneously pressing the eject key and sending eject commands from the computer.
A toggle switch can be ballanced in the middle position. A pushbutton can be softly pressed make a spark-gap. Unconnected lines can be shorted. Even a single-bit input device cannot be trusted.
Re:Bright Future for RFID malware. (Score:4, Insightful)
I see a real threat for anonymous attacks:
Attacker buys RFID-tracked product at store.
Attacker alters RFID-tracked product to allow for attack.
Attacker returns the product to the store shelf and waits...
Joe Sixpack checks out with infected product.
Clerk scans product and infects store database.
All prices for all products now set to $0.
Re:My question is why? (Score:4, Insightful)
See #1. I don't know any retailer that would abide by less than 99.999% accuracy. RFID does not meet this requirement at all.
If you think this is true, you need to check your receipts and count your change more frequently.
I've never seen a shop that manages 99% accuracy... the clerk fails to scan an item (doesn't notice it didn't beep), the item is in the database with the wrong price, the item scans twice, the item is missing entirely (so the clerk asks you to give them the price)...
99.999%???
Re:You almost have to be an insider FIRST (Score:3, Insightful)
Re:You almost have to be an insider FIRST (Score:4, Insightful)
"A lot of good comments have already been made here, but I'm surprised nobody has commented yet on something that seems obvious: if you're going to hack into a system, you have to know a little bit about the system first."
You're 100% right, but there will emerge from 1 to 3 dominant vendors of backend RFID systems, and they will be deployed in many places, many people will have knowledge of these systems, and help to learn about their underlying architecture will likely be found right on the vendor's website, or only a couple Google searches away. Like every other system out there, there will be a few weird custom jobs, but most of it will be off-the-shelf software that thousands of organizations use.
Today's theoretical often winds up being tomorrow's practical.
Re:Bright Future for RFID malware. (Score:5, Insightful)
Not true. The article specifically mentions potential SQL injection attacks, which are not caught by a simple length check. Also, you are assuming that the tag contains nothing more complex than a single ID number. As the complexity of the data in the tag goes up, so does the complexity of the parsing code for that data. Take for example including a picture of the owner in the RFID tag inside of a passport. Now the outside data is being fed to a some type of image decompression software with all sorts of opportunities for vulnerable bugs. Not only is image data likely to be a component of lots of RFID data, image decompression routines have historically been fertile ground to exploitable code bugs.
None of which is to say that the problem isn't manageable, but just that it's a lot more involved than a single length check. In fact, it's that kind of thinking which leads to vulnerable bugs. "Hey, this 1KB of random data is the right length, it must be OK. No need to worry about bugs anywhere else in the system." Riiiight.