RFID & Viral Vulnerability 136
Arleo writes "Student Melanie Rieback and others, part of a Tannenbaum research group in Amsterdam, have proven that RFID-tags are vulnerable for infection with viruses. In a research paper titled
"Is Your Cat Infected with a Computer Virus?" is shown how an altered RFID tag can be used to send a SQL injection attack or a buffer overflow. They describe on the rfidvirus.org website possible exploits of this types of viruses: from altering the backoffice of a supermarket to spreading RFID viruses by infected bags on airports."
Will this affect me? (Score:2, Interesting)
Re:Will this affect me? (Score:2, Interesting)
I'm just curious, will the company also compensate the employees who are working more hours - even if they are coming in late?
I know, if you said something like this, they'd call you in and tell you "what a bad attitude you have." or that "you're not a team player."
Yeah, I'm bitter....fucking corps...
Re:Bright Future for RFID malware. (Score:1, Interesting)
Write a little virus that defaults all your mechandise to 99cents an item, and you are good to go. This would of course only work with items worth more than 99cents, like steaks and electronics. Defaulting Bubblegum to 99cents would end up lamking you lose money.
Re:Virus? I think not. (Score:4, Interesting)
If the SQL injection or buffer overrun instructs the middleware system to overwrite all RFID tags subsequently scanned with the exploit code, that's pretty self-replicating, isn't it?
Re:My question is why? (Score:5, Interesting)
Problems we've had (in talking with the engineers):
1. Our product is in metal containers (within cardboard). Bad for RFID.
2. Placement is CRITICAL. Especially in a plant environment, you need to know where the RFID tag is so you can read and write it quickly; in addition to minimizing #3
3. Outside RF. We've had instances to where in a test lab, we can read and write and verify the write within 80ms, as a box is cruising by on the conveyor. Once we transition to the plant, however, it gets a little more shaky, as you have less control over where the conveyor motor is, more flourescent lights, and oh yea, there's still those damn metal cans.
RFID has a long way to go from what I've been told by our engineers. It's not as dead simple as you might think -- of course, for handheld scanners though, which require human intervention - may be 10 times easier since humans can modify the environment to see fit on the fly.
Re:Bright Future for RFID malware. (Score:3, Interesting)
Re:My question is why? (Score:2, Interesting)
You almost have to be an insider FIRST (Score:4, Interesting)
In this case, it seems to me that if you know enough about both ends of the process, sure, you can develop some method to penetrate the system. Most malware authors have the benefit of working on a very well-known platform - the Windows PC - with known software (one of the limited numbers of email or browser programs). But attacking a back-end system like this is a much more dicey proposition - each large corporation probably will have its own back end, and may be running any of a dozen OS-and-database combinations.
So to benefit from this attack, it seems to me that the author has to be an insider to stand a ghost of a chance of success. If he's an insider, there are MUCH easier ways to penetrate the system.
As a result, while I have great concerns about RFID, this strikes me as FUD.
1) Develop complicated, application-specific RFID attack that would never be real-world useful
2) Write research paper spreading more fear about RFID
3) PROFIT! (or at least get a lot of attention)
RFID Software vulnerabilities (Score:2, Interesting)
Re:My question is why? (Score:2, Interesting)
I was talking to a software provider for the supermarket sector, and at a conference he was recently at, the people working on RFID technology were happy to get 60% scan rate in a real world environment.
It's likely the tech is going to take another 5-7 years before it's up to the 95%+ scan rate we need to function and trust our inventory.
Re:My question is why? (Score:1, Interesting)
We are using active tags for WIP and are placing the tags directly on the objects. These tags are expensive (+-$20), but we reuse them. We use passive tags on the shipping labels.
Also, one more thing to look out for - the noise level. Certian parts of our plants were just too loud to use passive RF technology.
By the way, is your company using integration services? If so, who?