 |
THE WORLD'S RFID AUTHORITY
 PREMIUM = Requires Subscription. Learn MoreRFID Privacy Forum
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Feed
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| RECENT ENTRIES | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Give Me Back My Sanity
RFID Education for Consumers
Business 2.0 Gets It Wrong
McAfee Recycles Old Privacy Fears
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
The report, issued semiannually by McAfee Avert Labs based on its research into high-tech threats, reads, in part: "RFID readers could contain vulnerabilities that would allow RFID chips to contain exploits to steal information from backend databases." Okay, technically, I guess you could hack an RFID tag that could take advantage of some undiscovered vulnerability in an RFID reader, but it's also true that a clever hacker could write a code so malicious and fast-spreading it could bring down all of the world's major computer networks.
An exploit is a bit of code allowing a hacker to gain access to sensitive information. It's possible the report's claim about RFID having such a vulnerability might be based on a statement made back in 2004 by Lukas Grunwald, a German consultant who said: "It is only a matter of time before someone puts a root exploit on one of these tags and hacks into your supply chain" (see RFID Hack Could Allow Retail Fraud).
To date, I haven't seen a single shred of evidence, anywhere, that would substantiate these claims, and I truly doubt it is even possible. No, I'm not a software expert, but tags store flat data, not executable programs, s it's hard to see how you could use tags to penetrate systems containing RFID data. And even if someone were able to exploit a reader's vulnerabilities, most readers can be upgraded remotely so the loophole would be closed. (Yes, another might be found, and we'd have the kind of ongoing battle we have with PCs.)
Tomorrow, I'll take a look at the privacy issues raised in the "Sage" report.
An exploit is a bit of code allowing a hacker to gain access to sensitive information. It's possible the report's claim about RFID having such a vulnerability might be based on a statement made back in 2004 by Lukas Grunwald, a German consultant who said: "It is only a matter of time before someone puts a root exploit on one of these tags and hacks into your supply chain" (see RFID Hack Could Allow Retail Fraud).
To date, I haven't seen a single shred of evidence, anywhere, that would substantiate these claims, and I truly doubt it is even possible. No, I'm not a software expert, but tags store flat data, not executable programs, s it's hard to see how you could use tags to penetrate systems containing RFID data. And even if someone were able to exploit a reader's vulnerabilities, most readers can be upgraded remotely so the loophole would be closed. (Yes, another might be found, and we'd have the kind of ongoing battle we have with PCs.)
Tomorrow, I'll take a look at the privacy issues raised in the "Sage" report.
1 Comment
RFID tag as a vector
I was thinking about the "RFID tag as virus vector" theory that McAfee recycled in their "Sage" report. It is worth noting that, at the time this canard was first trotted out (I believe some researchers from the Vrije University in the Netherlands were involved), there were many rebuttals published in blogspace--some humorously succinct in their dismantling of the theories. I haven't dug back to try and find any of them, but I thought of an instructive analogy that I think sums up the main objection to this notion.
Many companies these days have very few, or perhaps no, physical fax machines left in their offices. Instead, many faxes are sent and received using fax server software. The software is by necessity connected to corporate networks, since most of the time faxes are forwarded to recipients via email. I would submit that a fax provides a much better vector for virus propagation than an RFID tag, since a typical fax contains hundreds, if not thousands, of bytes of data, versus a paltry few bytes to perhaps tens of bytes in a typical RFID tag. Add to this the ubiquity of fax server installations, and you have seemingly fertile ground for sowing viruses.
So why have we not heard report after report of fax viruses set loose by clever crackers? Because no fax server is "looking" for program code to come in on a fax line. It expects to receive essentially an image file, and all data arriving via fax is interpreted in this light. (Yes, there are middleware packages that will take that fax image and use OCR or barcode technology to extract other data, but that's a separate layer beyond the scope of this discussion.) I doubt if any fax server package ever was hacked because the software decided to "execute" the fax data.
I think this fax server example is very appropriately analagous to a strong majority of RFID applications (we're talking 99.999%+ here). No reader, middleware, or back-office system is configured to interpret data received from a tag as executable code. It's just an ID, or maybe some other data like manifest info or product data. As for attempting some kind of buffer-overflow exploit, this seems unlikely as well--the paucity of bandwidth over the interface between reader and tag forces protocol designers to strictly regulate the amount of data transferred, which would seem to limit the potential for such an attack.
In the interest of full disclosure, I will just state that I am an RFID consultant (and, therefore, an advocate for intelligent, reasonable use of the technology). I'm not a security expert or software engineer. While I agree with the idea that application and hardware designers need to insure that they are not vulnerable to such an attack, I don't believe that it is the imminent threat it has been made out to be by these isolated "researchers."
Posted By: Dave 4/26/07 at 3:42 PM
I was thinking about the "RFID tag as virus vector" theory that McAfee recycled in their "Sage" report. It is worth noting that, at the time this canard was first trotted out (I believe some researchers from the Vrije University in the Netherlands were involved), there were many rebuttals published in blogspace--some humorously succinct in their dismantling of the theories. I haven't dug back to try and find any of them, but I thought of an instructive analogy that I think sums up the main objection to this notion.
Many companies these days have very few, or perhaps no, physical fax machines left in their offices. Instead, many faxes are sent and received using fax server software. The software is by necessity connected to corporate networks, since most of the time faxes are forwarded to recipients via email. I would submit that a fax provides a much better vector for virus propagation than an RFID tag, since a typical fax contains hundreds, if not thousands, of bytes of data, versus a paltry few bytes to perhaps tens of bytes in a typical RFID tag. Add to this the ubiquity of fax server installations, and you have seemingly fertile ground for sowing viruses.
So why have we not heard report after report of fax viruses set loose by clever crackers? Because no fax server is "looking" for program code to come in on a fax line. It expects to receive essentially an image file, and all data arriving via fax is interpreted in this light. (Yes, there are middleware packages that will take that fax image and use OCR or barcode technology to extract other data, but that's a separate layer beyond the scope of this discussion.) I doubt if any fax server package ever was hacked because the software decided to "execute" the fax data.
I think this fax server example is very appropriately analagous to a strong majority of RFID applications (we're talking 99.999%+ here). No reader, middleware, or back-office system is configured to interpret data received from a tag as executable code. It's just an ID, or maybe some other data like manifest info or product data. As for attempting some kind of buffer-overflow exploit, this seems unlikely as well--the paucity of bandwidth over the interface between reader and tag forces protocol designers to strictly regulate the amount of data transferred, which would seem to limit the potential for such an attack.
In the interest of full disclosure, I will just state that I am an RFID consultant (and, therefore, an advocate for intelligent, reasonable use of the technology). I'm not a security expert or software engineer. While I agree with the idea that application and hardware designers need to insure that they are not vulnerable to such an attack, I don't believe that it is the imminent threat it has been made out to be by these isolated "researchers."
Posted By: Dave 4/26/07 at 3:42 PM
Please enter your name or an alias and your email address.
Only your name or alias will appear in your post.
Only your name or alias will appear in your post.