Can Tag Viruses Infect RFID Systems?

By Jonathan Collins

Mar. 15, 2006—A group of European computer researchers at Vrije University in Amsterdam, the Netherlands, have published a paper they claim shows how RFID tags, including those complyiant with EPCglobal standards, could be used to transmit computer viruses capable of bringing down and compromising entire computer systems.

"Even a tag with just 112 bytes available can create a buffer overflow or an SQL injection attack," says Andrew Tanenbaum, professor of computer science at the university.

RFID software designers have long thought the memory of passive RFID tags too small to pose any likely security threat, the researchers explain, saying their work shows that threats are possible by using tags to exploit long-standing vulnerabilities in the middleware and application software.

However, the group's claims were immediately rejected by some members of the RFID industry, including Kevin Ashton, cofounder and former executive director of MIT's Auto-ID Center and now vice president of marketing for RFID interrogator manufacturer ThingMagic.

"A typical EPC tag has 96 bits of memory with an ID number," Ashton notes. "For any such threat to be credible, there would have to be more memory, a read-write tag and variable-length tag reads. It would also need a reader and a system stupid enough and vulnerable enough to allow executable malicious code."

Sue Hutchinson is the director of product management for EPCglobal US, the U.S. arm of EPCglobal, a GS1-sponsored organization working to commercialize EPC technology and RFID standards. She says the security features built into the latest EPC tag and reader standard, Class 1 Gen 2, make the air interface protocol very different than the tags and readers used in the Dutch study.

Studies such as the one done at Vrije University are important because "they keep us thinking about these things, and it's of critical importance," says Hutchinson, "but it's a grand leap to say that [what was shown in the study] could happen to EPC tags and readers."

"We've been taking a very proactive stance at looking at security in the EPC Gen 2 protocol," she says. To strengthen security, the Gen 2 protocol includes two key safeguards: the ability to lock a tag so that only an authorized interrogator can write any data to it, and the use of RF masking, which adds a random number to a tag's ID and requires the tag and reader to exchange what she likens to a handshake before they can exchange any data. These features "make it much harder to introduce a virus into the system," she says, than using the method in the study.

According to a paper written by the Dutch researchers, the group carried out multiple tests of RFID tags made with Philips UHF I-Code SL1 chips, which, according to the paper, had 896 bits of memory. During the tests, the tags were programmed with a number of viruses and other types of malware developed at the university. The group used its own RFID middleware and a number of commercially available databases in its trials. The tests showed that tags could be employed to instigate a number of malicious attacks on the databases and middleware used in an RFID network, including buffer overflow and SQL injection, and even open a back door to the RFID application server.