RFID & Viral Vulnerability 136
Arleo writes "Student Melanie Rieback and others, part of a Tannenbaum research group in Amsterdam, have proven that RFID-tags are vulnerable for infection with viruses. In a research paper titled
"Is Your Cat Infected with a Computer Virus?" is shown how an altered RFID tag can be used to send a SQL injection attack or a buffer overflow. They describe on the rfidvirus.org website possible exploits of this types of viruses: from altering the backoffice of a supermarket to spreading RFID viruses by infected bags on airports."
Bright Future for RFID malware. (Score:5, Insightful)
Fascinating stuff, but it seems that the game plan for protecting against RFID malware is basically the same as protecting against more traditional malware...namely, enforcing proper bounds checking, enforcing proper database permissions heirarchies, disabling back-end scripting languages, isolating the vulnerable RFID middleware server in a proper DMZ environment, etc.
In other words, RFID malware has just as bright a future as the more traditional flavor, since most developers and administrators can't be bothered to take these elementary precautions.
Re:Bright Future for RFID malware. (Score:4, Insightful)
Re:Bright Future for RFID malware. (Score:4, Insightful)
I see a real threat for anonymous attacks:
Attacker buys RFID-tracked product at store.
Attacker alters RFID-tracked product to allow for attack.
Attacker returns the product to the store shelf and waits...
Joe Sixpack checks out with infected product.
Clerk scans product and infects store database.
All prices for all products now set to $0.
Re:Bright Future for RFID malware. (Score:2)
Clerk scans product and infects store database.
All prices for all products now set to $0.
Again, any decent software developer knows that you never trust outside input. You always check everything that comes in. Follow that simple rule and your software is secure from these kinds of attacks.
Re:Bright Future for RFID malware. (Score:2)
The software will likely be wide open from this kind of attack.
Re:Bright Future for RFID malware. (Score:1)
Good point. If I wanted to infect a system say at wallmart. I'd just place the infected RFID tag on a product on the shelf and wait for someone to buy it or inventory it. I'm long gone by the time the infection attempt takes place.
Re:Bright Future for RFID malware. (Score:5, Insightful)
Not true. The article specifically mentions potential SQL injection attacks, which are not caught by a simple length check. Also, you are assuming that the tag contains nothing more complex than a single ID number. As the complexity of the data in the tag goes up, so does the complexity of the parsing code for that data. Take for example including a picture of the owner in the RFID tag inside of a passport. Now the outside data is being fed to a some type of image decompression software with all sorts of opportunities for vulnerable bugs. Not only is image data likely to be a component of lots of RFID data, image decompression routines have historically been fertile ground to exploitable code bugs.
None of which is to say that the problem isn't manageable, but just that it's a lot more involved than a single length check. In fact, it's that kind of thinking which leads to vulnerable bugs. "Hey, this 1KB of random data is the right length, it must be OK. No need to worry about bugs anywhere else in the system." Riiiight.
Re:Bright Future for RFID malware. (Score:2)
Don't misinterpret me: I think RFID is a bad idea, but blowing up airports using a buffer overflow on a malicious tag can easily be prevented.
Re:Bright Future for RFID malware. (Score:2)
False. I re-read the paper just to make sure I didn't miss anything. They have an example of a working atttack against an Oracle database. Their attack is 127 bytes long in a system with a 128 byte data field. Where is the buffer overflow?
but blowing up airports using a buffer overflow on a malicious tag can easily be prevented.
And as I said, that's a dangerous attitude. The problem goes beyond mere bounds checking on the buffer. And if you were actually in charge
Re:Bright Future for RFID malware. (Score:1, Interesting)
Write a little virus that defaults all your mechandise to 99cents an item, and you are good to go. This would of course only work with items worth more than 99cents, like steaks and electronics. Defaulting Bubblegum to 99cents would end up lamking you lose money.
Re:Bright Future for RFID malware. (Score:5, Funny)
I'll have too explain my dad to not to download whatever crap on internet, never reply yes when a crap want to install something without asking me first and now
I need to ask him to check the ServicePack version on his six-pack and explain him that bringing russian vodka home can wipe out his harddisk when he turns the TV on?
Re:Bright Future for RFID malware. (Score:3, Interesting)
Re:Bright Future for RFID malware. (Score:2)
That really is a good insight. The RFID issues that Tanenbaum and company pointed out are just new examples of the general problem, software reading untrusted data.
Re:Bright Future for RFID malware. (Score:2)
How would you let something like that happen? There is a ton of code to prevent that all over create not to mention that I think every database on the planet has a quote function just to prevent that kind of thing.
Buffer overflow? just what data entry method is not vulnerable to a buffer overflow if the programmer is careless?
I would have been shocked if RFID was magically immune to programmer induced security breaches.
Fir Trees? (Score:3, Funny)
American oak tree research groups and Swedish aspen tree research groups have responded by working around the clock to fix this security hole. Never before have groups centered on deciduous trees been so involved in computer security.
My question is why? (Score:3, Insightful)
Re:My question is why? (Score:2, Informative)
Re:My question is why? (Score:5, Interesting)
Problems we've had (in talking with the engineers):
1. Our product is in metal containers (within cardboard). Bad for RFID.
2. Placement is CRITICAL. Especially in a plant environment, you need to know where the RFID tag is so you can read and write it quickly; in addition to minimizing #3
3. Outside RF. We've had instances to where in a test lab, we can read and write and verify the write within 80ms, as a box is cruising by on the conveyor. Once we transition to the plant, however, it gets a little more shaky, as you have less control over where the conveyor motor is, more flourescent lights, and oh yea, there's still those damn metal cans.
RFID has a long way to go from what I've been told by our engineers. It's not as dead simple as you might think -- of course, for handheld scanners though, which require human intervention - may be 10 times easier since humans can modify the environment to see fit on the fly.
Re:My question is why? (Score:1, Interesting)
We are using active tags for WIP and are placing the tags directly on the objects. These tags are expensive (+-$20), but we reuse them. We use passive tags on the shipping labels.
Also, one more thing to look out for - the noise level. Certian parts of our plants were just too loud to use passive RF tec
Re:My question is why? (Score:1)
1. Inventory, beeing able to know what is in your store and where it is in a retal setting.
2. Convinence, things like being able to park a cart next to a teller and have all the items charged instantly.
3. RFID is already used sucessfuly for tracking pets and could be used to store medical data in people with alergies or other specal medical requirements, along with other personal data if the individual choses.
Let me say I'm scared of some of the po
Re:My question is why? (Score:5, Insightful)
1. Inventory, beeing able to know what is in your store and where it is in a retal setting.
Actually, according to a recent study, RFIDs are only about 90% accurate at best, for large palettes whizzing by on conveyor belts in a warehouse setting.
2. Convinence, things like being able to park a cart next to a teller and have all the items charged instantly.
See #1. I don't know any retailer that would abide by less than 99.999% accuracy. RFID does not meet this requirement at all.
3. RFID is already used sucessfuly for tracking pets and could be used to store medical data in people with alergies or other specal medical requirements, along with other personal data if the individual choses.
Let me say I'm scared of some of the potental abuses to, but there are upsides to this.
Now you're getting to the real meat of why some want RFID to take off. It's much easier to convince someone to accept an injection of a little chip than to be tattooed with a bar code, Henry Rollins not withstanding.
While it may be beneficial, the very reason it's beneficial is also why it's bad in an Orwellian sense. There is no way for this to be beneficial without the bad. You can't cover up an RFID, or make it inoperative, without impairing its usefulness when needed.
Re:My question is why? (Score:4, Insightful)
See #1. I don't know any retailer that would abide by less than 99.999% accuracy. RFID does not meet this requirement at all.
If you think this is true, you need to check your receipts and count your change more frequently.
I've never seen a shop that manages 99% accuracy... the clerk fails to scan an item (doesn't notice it didn't beep), the item is in the database with the wrong price, the item scans twice, the item is missing entirely (so the clerk asks you to give them the price)...
99.999%???
Re:My question is why? (Score:1)
If they're going to go with something as expensive as a retrofit of RFID will be, I'm guessing they're going to want 99% or better.
Re:My question is why? (Score:2, Interesting)
I was talking to a software provider for the supermarket sector, and at a conference he was recently at, the people working on RFID technology were happy to get 60% scan rate in a real world environment.
It's likely the tech is going to take another 5-7 years before it's up to the 95%+ scan rate we need to function and trust our inventory.
Re:My question is why? (Score:5, Insightful)
Re:My question is why? (Score:2)
Say that the ipod headphones weighs
And that the ipod weigths
An increasing number of checkouts will catch that. I don't know how sensitive they are but my gut feeling is that it is fractions of an ounce based.
Why we switched - save you money (Score:2, Informative)
http://www.illinoistollway.com/portal/page?_pageid =57,1302257,57_1302270&_dad=portal&_schema=PORTAL [illinoistollway.com]
http://www.ezpassde.com/ [ezpassde.com]
http://www.sunpass.com/ [sunpass.com]
http://www.prepass.com/ [prepass.com]
Weight in motion, which usually uses RFID;
http://science.howstuffworks.com/question626.htm [howstuffworks.com]
We've been doing RFID since 1996. It's not new technology. We are just talking about new applications.
Re:My question is why? (Score:2, Interesting)
Re:My question is why? (Score:2)
Re:My question is why? (Score:2)
Re:My question is why? (Score:1)
Yes. When you ship stuff you can only optically scan the surface.
"Stuff" has depth. RFID beats manual unstacking, restacking, re-covering, etc.
External barcodes reflecting bulk contents are invalid when an item is removed but the external tag is left unchanged. RFID offers immediate inventory adjustment with each bulk scan. It goes more than one link deep, so to speak.
Re:My question is why? (Score:1)
Will this affect me? (Score:2, Interesting)
Re:Will this affect me? (Score:2, Interesting)
I'm just curious, will the company also compensate the employees who are working more hours - even if they are coming in late?
I know, if you said something like this, they'd call you in and tell you "what a bad attitude you have." or that "you're not a team player."
Yeah, I'm bitter....fucking corps...
Re:Will this affect me? (Score:1)
Re:Will this affect me? (Score:4, Insightful)
I think what he's asking is: does the badge record the leaving time as well as the arrival time? This is a problem where I work as well...the badge records when you come in, but doesn't record when you leave, so it doesn't matter if you stay late to finish a project...all the management cares about is when you got there in the morning.
I don't work late anymore.
Wait... (Score:1)
Re:Wait... (Score:1)
Re:Wait... (Score:1)
No wonder people get scared... if somone with a good grasp of computer tech can get confused here imagine how your grandparents fell.
Virus? I think not. (Score:2, Insightful)
In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents...-Wikipedia [wikipedia.org]
Re:Virus? I think not. (Score:4, Interesting)
If the SQL injection or buffer overrun instructs the middleware system to overwrite all RFID tags subsequently scanned with the exploit code, that's pretty self-replicating, isn't it?
Re:Virus? I think not. (Score:2, Informative)
At that point, I'd be more afraid of the EM emissions than any RFID dastardliness.
Re:Virus? I think not. (Score:2)
The point is you use the RFID tag as a key in your database.
Say I receive 12 widgets from a company to put on my shelf. Each widget has an RFID tag. I enter each of them into my database. Now as I sell them they're scanned the tag is used to search the database [e.g. it's the key] and I mark it as gone.
The actual value of the tag doesn't matter so long as it's unique. E.g. two widgets don't have
Re:Virus? I think not. (Score:2)
There is a lot of value in this. It al
Re:Virus? I think not. (Score:1)
Re:Virus? I think not. (Score:4, Informative)
From the linked pdf: To prove our point, this paper will present the first self-replicating RFID virus.
So, um, yeah. Maybe, just maybe, you should RTFA. I know, I know. Pipedream.
Mighty If-fy (Score:5, Insightful)
From rfidvirus.org: Here is where the trouble comes in. Up until now, everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software, and certainly not in a malicious way. Unfortunately, they are wrong. In our research, we have discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be (intentionall) infected with a virus and this virus can infect the backend database used by the RFID software. From there it can be easily spread to other RFID tags. No one thought this possible until now. Later in this website we provide all the details on how to do this and how to defend against it in order to warn the designers of RFID systems not to deploy vulnerable systems.
So to sum up, if some programmer doesn't do his/her job, the RFID tag they plan on implanting in our passports could be used as delivery devices to compromise computer systems around the globe.
I'm going to rate this a pretty big if, though, as we know from all the patching going on, the probability is very high. RFID software is going to have to be thoroughly tested and watched like a hawk. Undoubtedly there's going to come a point where if one or two of these viruses get out and something newsworthy happens (airport computers crash, Citigroup gets credit card data stolen, etc.), the whole idea of RFID tags everywhere is going to get a serious black eye.
Re:Mighty If-fy (Score:2)
we could see SQL Injection attacks, or buffer overflow vulnerabilities, or
But once it hits as you describe, the black eye will be irrelevant. By then the tech will be "crucial to the actions" of first responders, airport security, etc.. Then what happens? Congress bloviates in a "special heari
Silly Government, technology can be hacked! (Score:1)
-- Bridget
Porterhouse steaks at last! (Score:3, Funny)
Cashier: Um, $1 for 2 steaks? That can't be right.
Me: Sure it is. Look at the sticker. 50 cents a pound. The steaks weigh two pounds thus $1 for two steaks. Mad cow and all that.
Cashier: Ok, if the sticker says so, it must be right. *scan* *beep!* *scan* *beep!* *scan* *beep!*
Re:Porterhouse steaks at last! (Score:2)
Re:Porterhouse steaks at last! (Score:5, Insightful)
Yeah, it drives the credit agencies nuts because they can't track my credit history because I almost never have a credit bill (excluding my monthly ISP charge). The best they can do is see that I pay all my bills (electric, cable, etc) on time.
Merchants are certainly stymied because they can't gather enough information on me so they can't send me their snail mail spam.
No, I'm not paranoid. I just hate debt. Debt is evil. It sucks the life out of ones finances and inhibits the accumulation of wealth.
Granted, the current administration doesn't understand this but that's a whole other issue.
Re:Porterhouse steaks at last! (Score:4, Insightful)
In 5 years you won't get anything at a huge supermarket chain anymore without card. Won't work? People will refuse to shop there? Think of some of the huge outlets that only let you IN when you got a card and go figure.
Re:Porterhouse steaks at last! (Score:2)
You know how much they charge for a box of candy? $8~$10 bucks.
You know how much that same candy gets sold for by the piece? Minimum twice as much.
You won't save money on everything in the store, but you'll get your yearly fee back & start saving money if you buy in bulk. For a lot of people, it makes sense.
Re:Porterhouse steaks at last! (Score:2)
Why not use a check card, then?
Re:Porterhouse steaks at last! (Score:2)
By paying with cash, you are overpaying for everything you buy. Cash-back credit cards, when paid on time, are the equivalent of giving yourself a few percent raise every year.
Also, I think it is probably good for stores to know what kinds of good I buy. It could potentially help them keep things in stock better.
But keep overpaying with cash if that is the only way you can handle finance psychologically...
Still, you could just carry
Awesome line (Score:4, Funny)
Free beer anyone?
Re:Awesome line (Score:1)
user input (Score:5, Insightful)
But ofcourse there are nowadays lots of websites which are vurnerable for sql injection and similiar hacks. Even google had a cross site scriptiog exploit.
And in other news (Score:2)
Virus Virus (Score:2)
Newcastle Brown Ale RFID (Score:3, Funny)
I'll take 10 please.
Implications for prices (Score:1)
Seriously thou, think of the implications! You could actually increase all the pricetags at your local Wallmarrt...
Ai Ai (Score:1)
Pure FUD (Score:4, Insightful)
I can see a buffer overflow if your rfid is capable of generating a string massively larger than a normal rfid.
Outside of a SQL injection to get past a really poorly designed RFID reading application or plain stupidity in the RFID reading software part I can not see any way for a RFID to get the host reading PC to execute the code inside it.
Not pure FUD, just facts. (Score:5, Insightful)
Not 'evil', just dumb. RFID reader is an insecure input device like any other, and you don't even need physical access to use it. But it seems nobody thought of preparing a barcode that could crash the cash register, recording a magnetic card that would infect the security system, etc. Some devices are thought to be too simple to mean danger - wrongly. I remember some old Atari games that would crash or misbehave if you'd open the joystick and pressed "left" and "right" simultaneously. I burnt electronics of a RC toy car by telling it to go forward and back at the same time. Got a motorbike to run backward by starting the engine by pushing it backwards. Managed to crash my cell phone by buffer overflow at battery load level sensor (it WAS a software failure!) Got a CD tray to stop halfway by simultaneously pressing the eject key and sending eject commands from the computer.
A toggle switch can be ballanced in the middle position. A pushbutton can be softly pressed make a spark-gap. Unconnected lines can be shorted. Even a single-bit input device cannot be trusted.
Re:Not pure FUD, just facts. (Score:2, Funny)
Re:Not pure FUD, just facts. (Score:2)
Re:Not pure FUD, just facts. (Score:2)
Without some really serious modifications you won't start a 4-cycle engine backwards. 2-cycle - no problem.
overhype (Score:5, Insightful)
This really is no different than replacing the barcodes on packages.
Tom
Re:overhype (Score:1)
If they would just 'read' the RFID tag instead of putting code on it.. the only real problem they face is that the information could overflow. But that isn't so hard to counter.
Re:overhype (Score:3)
Design crap software, expect user stimulus to break it.
This is only "news" because it has RFID in it and everyone loves to beat up on what they don't understand.
Tom
Re:overhype (Score:1)
Someone could write really bad barcode reader software with the same vulnerability, or they could even (I know, I'm stretching things here) write software that overflowed based on how much a user typed into the keyboard. Somehow "if length > maximum" is too much to ask for.
Re:overhype (Score:2)
Problem for Schrödinger (Score:3, Funny)
Minix (Score:2)
Hmmm... on the other hand he is the one who first wrote about that dangerous hacker Kevin Mitnick...
Re:Minix (Score:1)
Re:Minix (Score:2)
Re: (Score:2)
Re:Minix (Score:2)
Author of the New York Times article. John Markoff. Sorry for being unclear.
Duh, but really: DUH! (Score:2)
It's the backend that's the risk. Not the RFID tag.
Re:Duh, but really: DUH! (Score:2)
multiple security systems (Score:3, Insightful)
For example at one urban college library they put the cardholders' face immediately on the screen. The cardholder could have a fake ID or borrowed a friends, but its much harder to fake a face image. And a image is much easier for the guard to process than some descriptive text. Likewise the RFID code reader could flash an image of the product to the cashier or warehouse clerk as secondary identification.
Re:multiple security systems (Score:2)
Free... (Score:1)
Someone has to write a virus to completely screw up a crappily implemented system. Therefore, finally we may be able to attain the holy grail : free (as in beer) beer!
RFID Viruses? Excellent! (Score:4, Funny)
You almost have to be an insider FIRST (Score:4, Interesting)
In this case, it seems to me that if you know enough about both ends of the process, sure, you can develop some method to penetrate the system. Most malware authors have the benefit of working on a very well-known platform - the Windows PC - with known software (one of the limited numbers of email or browser programs). But attacking a back-end system like this is a much more dicey proposition - each large corporation probably will have its own back end, and may be running any of a dozen OS-and-database combinations.
So to benefit from this attack, it seems to me that the author has to be an insider to stand a ghost of a chance of success. If he's an insider, there are MUCH easier ways to penetrate the system.
As a result, while I have great concerns about RFID, this strikes me as FUD.
1) Develop complicated, application-specific RFID attack that would never be real-world useful
2) Write research paper spreading more fear about RFID
3) PROFIT! (or at least get a lot of attention)
Re:You almost have to be an insider FIRST (Score:3, Insightful)
Re:You almost have to be an insider FIRST (Score:4, Insightful)
"A lot of good comments have already been made here, but I'm surprised nobody has commented yet on something that seems obvious: if you're going to hack into a system, you have to know a little bit about the system first."
You're 100% right, but there will emerge from 1 to 3 dominant vendors of backend RFID systems, and they will be deployed in many places, many people will have knowledge of these systems, and help to learn about their underlying architecture will likely be found right on the vendor's website, or only a couple Google searches away. Like every other system out there, there will be a few weird custom jobs, but most of it will be off-the-shelf software that thousands of organizations use.
Today's theoretical often winds up being tomorrow's practical.
Re:You almost have to be an insider FIRST (Score:2)
:-)
RFID Software vulnerabilities (Score:2, Interesting)
Re:RFID Software vulnerabilities (Score:1)
Re:RFID Software vulnerabilities (Score:4, Informative)
I'm not sure you understand how RFID tags work. There are a variety of standards on how RFID tags are encoded, all of which break down into partitioning the tag's data into segments to form the unique identifier
For the sake of argument I'll use EPC SGTIN96. In the SGTIN tag has four partitions: Filter, Company Prefix, Item Reference, and Serial Number. Each of these fields is of varying size depending on how big tag is. Typically RFID tags are 96 bits (although some tags can get up to 1Kbit), even using 7 bit ascii there's not a whole lot you can fit in 96 bits. When I poll the reader, or the middleware I'm getting back a number, e.g. 12345 and it's my responsibility to parse through that number to get the fields I'm interested in. In this scenario I would have to be doing some *very* sloppy programming to open myself to an SQL injection attack (something along the lines of treating known numeric data as a string).
ISO and EPC Gen 2 tags do support custom data, which I suppose could be used to store strings but since it is severely space constrained (typically in the range of 2-32 bytes) I question the viability of such an attack. Not to mention that the field will likely be used to writing in ids instead of human readable data. Finally, it is common to encrypt the custom payload on an rfid tag. So even if somebody were to change it to "AND 1 = 1" it would be caught when the program tries to decrypt the tag.
Tanenbaum not Tannenbaum (Score:1)
Article is crap (Score:2)
Fouling up sloppy backend SQL code is one thing. Implying that my infected cat will slow to a crawl, barf up pr0n-storm hairballs and begin all night cries of "Viagra! Cialis!" because of its RFID t
viral misnomer (Score:2)
Why do the editors approve stories with such blatant buzzword abuse?
Re:viral misnomer (Score:2)
I can see the RFID nametags (Score:2, Funny)
HELLO, My Name is
";UPDATE Users SET name = "nuzak";
--------
Now you are all nuzak.
cool! (Score:2)
Tanenbaum (Score:2)