Can Tag Viruses Infect RFID Systems?

"A lot of these attacks are common knowledge to IT security professionals, but what is different is that no one expects these attacks to come from an RFID tag," says Melanie Rieback, a Vrije University Ph.D. student who presented the group's findings today in a paper at the IEEE conference Pervasive Computing and Communications (IEEE PerCom) in Pisa, Italy. The paper, entitled "Is Your Cat Infected With a Computer Virus?," is available at the group's Web site.

The goal of the group's work, says Rieback, is to ensure that commercial RFID middleware developers, as well as RFID deployers developing their own middleware, address the potential of security attacks emanating from tags. "It is early enough not to cause too much damage," she says. "What would have been worse is if this threat had been discovered only through the work of a malicious hacker in five years' time, when many RFID systems have been deployed."

According to Ashton, the group's development of its own middleware to test the system underestimates the security built into commercially developed RFID middleware. "The RFID industry is an offshoot of the IT industry, and that industry has always taken security very seriously," he says. "Some of the earliest work at the Auto-ID Center addressed security."

"We've built security features into every part of the EPCglobal Network," says Hutchinson, "not just in the air-interface protocol, but also into the application-level events protocol and into the higher-level [elements] used for data discovery and track-and-trace applications."

While such virus attacks may be possible in theory, says Ashton, good software development practices would ensure that these vulnerabilities would be extremely unlikely to be found in any RFID network. "There are any number of hurdles that a piece of malicious code would have to overcome [to do any damage]," he claims, adding that RFID interrogators alone would detect rogue tags or rogue software on tags as part of the verification process of reading them.

Nonetheless, Tanenbaum believes a system using read-write tags are at the greatest risk because a system compromised by a single malicious tag could be used to create many more infected tags. One example is the tag used in RFID-enabled baggage-handling systems already in operation at Las Vegas' McCarran Airport. Once infected, Tanenbaum claims, baggage tags could be used to infect baggage-handling systems worldwide as bags with infected tags move to and are read at other airports.

The potential threat from RFID viruses is compounded further, say the researchers, by the interaction RFID tags enable between physical objects and events and computer systems. "In the past, if these attacks were used on a PC, then it might crash the computer, but RFID merges the real world and the virtual world, and so there is the potential for real and much more severe consequences," Tanenbaum says.

Ashton, however, asserts that the comparison with PC systems underlines a problem in the research group's work. "RFID systems are built using middleware, software and database systems, as well as custom software to act as a glue between these elements," he explains. "Every [RFID system] is unique, not like a PC desktop system. There would have to be stupid holes in the system vulnerable to attack, and the attacker would need intimate knowledge of those holes. If that were ever the case, the attacker wouldn't use RFID as a weapon of choice."