RFID & Viral Vulnerability

Arleo writes "Student Melanie Rieback and others, part of a Tannenbaum research group in Amsterdam, have proven that RFID-tags are vulnerable for infection with viruses. In a research paper titled "Is Your Cat Infected with a Computer Virus?" is shown how an altered RFID tag can be used to send a SQL injection attack or a buffer overflow. They describe on the rfidvirus.org website possible exploits of this types of viruses: from altering the backoffice of a supermarket to spreading RFID viruses by infected bags on airports."

Will this affect me?

[Onymous Hero]

My company is rolling out RFID badges for all staff to streamline our security and help reduce the amount of late employees etc - is this something that could be a problem or is it just theoretical?

Re:Will this affect me?

[AnonymousPrick]

My company is rolling out RFID badges for all staff to ... help reduce the amount of late employees etc...

I'm just curious, will the company also compensate the employees who are working more hours - even if they are coming in late?

I know, if you said something like this, they'd call you in and tell you "what a bad attitude you have." or that "you're not a team player."

Yeah, I'm bitter....fucking corps...

Re:Bright Future for RFID malware.

[Alex P Keaton in da]

Think about the shoplifting possibilities- Once RFID id used to monitor what is in your shopping cart, and you are automatically charged (because your credit card has RFID) as you walk out of the stores (No more checkout girl).
Write a little virus that defaults all your mechandise to 99cents an item, and you are good to go. This would of course only work with items worth more than 99cents, like steaks and electronics. Defaulting Bubblegum to 99cents would end up lamking you lose money.

Re:Virus? I think not.

[TripMaster Monkey]

If the SQL injection or buffer overrun instructs the middleware system to overwrite all RFID tags subsequently scanned with the exploit code, that's pretty self-replicating, isn't it?

Re:My question is why?

[karnal]

My company is currently trying to work towards a whole-house RFID setup (we sell consumer products.)

Problems we've had (in talking with the engineers):

1. Our product is in metal containers (within cardboard). Bad for RFID.
2. Placement is CRITICAL. Especially in a plant environment, you need to know where the RFID tag is so you can read and write it quickly; in addition to minimizing #3
3. Outside RF. We've had instances to where in a test lab, we can read and write and verify the write within 80ms, as a box is cruising by on the conveyor. Once we transition to the plant, however, it gets a little more shaky, as you have less control over where the conveyor motor is, more flourescent lights, and oh yea, there's still those damn metal cans.

RFID has a long way to go from what I've been told by our engineers. It's not as dead simple as you might think -- of course, for handheld scanners though, which require human intervention - may be 10 times easier since humans can modify the environment to see fit on the fly.

Re:Bright Future for RFID malware.

[Jeff DeMaagd]

That's quite a lot of work though, not something I would call "simple", especially for overworked and underpaid IT workers. Normally I wouldn't be concerned because most times, RFID should only be a serial number, but if even image files can cause trouble, then I suppose anything can.

Re:My question is why?

[FutrDreams]

Well corporations will push for this for efficiency but think of possible consumer uses. Say you have portable RFID scanner and a database provided by an organization. This organization could be Greenpeace, Consumer Reports your favorite wine review site, etc. So I walk into the store and key into my scanner, show me all coffee products that are Fair Trade Certified. Show me if they have any one of my favorite 10 wines, etc. RFID tags for home use -buy a pack of say 100 tags and tag things in your house. Where's the TV remote? Take a walk w/ a scanner and oooh there it is. Moving? Tag your stuff, put it in boxes. Done. What's in my pantry? Scan it. What drinks can I make w/ things in my bar? You get the point. There are some issues w/ creating the database, and privacy issues for corporations, but I'm sure there's a place for new companies to sell that info. -Futrdreams.

You almost have to be an insider FIRST

[Goldenhawk]

A lot of good comments have already been made here, but I'm surprised nobody has commented yet on something that seems obvious: if you're going to hack into a system, you have to know a little bit about the system first. You can't simply design some buffer overflow exploit and trust it will "hack" the back-end system. That seems awful "Independence Day"-ish - you know, writing a virus here on Earth that somehow magically attacks and shuts down an alien computer system. Makes for exciting movies (if you're not minimally smart about computers) but it never works in the real world.

In this case, it seems to me that if you know enough about both ends of the process, sure, you can develop some method to penetrate the system. Most malware authors have the benefit of working on a very well-known platform - the Windows PC - with known software (one of the limited numbers of email or browser programs). But attacking a back-end system like this is a much more dicey proposition - each large corporation probably will have its own back end, and may be running any of a dozen OS-and-database combinations.

So to benefit from this attack, it seems to me that the author has to be an insider to stand a ghost of a chance of success. If he's an insider, there are MUCH easier ways to penetrate the system.

As a result, while I have great concerns about RFID, this strikes me as FUD.
1) Develop complicated, application-specific RFID attack that would never be real-world useful
2) Write research paper spreading more fear about RFID
3) PROFIT! (or at least get a lot of attention)

RFID Software vulnerabilities

[Philodoxx]

The problem I have with the idea of an RFID virus is that most RFID middleware is based on either .NET or Java. I'm not saying it's impossible but the prospect to propagating a virus by RFID tag becomes a whole lot harder if they have to put MSIL or Java bytecode on the tag. I've developed a few RFID applications and all of the incoming RFID data are numbers (e.g. id: 12345) and I just look that information up in a database. It's not like I'm storing "SELECT * FROM table WHERE id = 12345" on the tag and then executing it blindly.

Re:My question is why?

[Anonymous Coward]

Retail scan percentages in America at the moment are around 95%. That is, for every 100 items scanned via barcode, 5 items are manually typed in as generic.

I was talking to a software provider for the supermarket sector, and at a conference he was recently at, the people working on RFID technology were happy to get 60% scan rate in a real world environment.

It's likely the tech is going to take another 5-7 years before it's up to the 95%+ scan rate we need to function and trust our inventory.

Re:My question is why?

[Anonymous Coward]

We also are placing the tags on metal objects. If you have air and cardboard, it should not be a problem. Also, has your team looked at the new ceramic and foam backing to place the tag directly on the object?

We are using active tags for WIP and are placing the tags directly on the objects. These tags are expensive (+-$20), but we reuse them. We use passive tags on the shipping labels.

Also, one more thing to look out for - the noise level. Certian parts of our plants were just too loud to use passive RF technology.

By the way, is your company using integration services? If so, who?