Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

Can Tag Viruses Infect RFID Systems?

A group of European computer researchers have issued a study warning that RFID middleware and applications are vulnerable to viruses encoded into a tag's memory.
By Jonathan Collins
Tags: Standards
Mar 15, 2006A group of European computer researchers at Vrije University in Amsterdam, the Netherlands, have published a paper they claim shows how RFID tags, including those complyiant with EPCglobal standards, could be used to transmit computer viruses capable of bringing down and compromising entire computer systems.

"Even a tag with just 112 bytes available can create a buffer overflow or an SQL injection attack," says Andrew Tanenbaum, professor of computer science at the university.

RFID software designers have long thought the memory of passive RFID tags too small to pose any likely security threat, the researchers explain, saying their work shows that threats are possible by using tags to exploit long-standing vulnerabilities in the middleware and application software.

However, the group's claims were immediately rejected by some members of the RFID industry, including Kevin Ashton, cofounder and former executive director of MIT's Auto-ID Center and now vice president of marketing for RFID interrogator manufacturer ThingMagic.

"A typical EPC tag has 96 bits of memory with an ID number," Ashton notes. "For any such threat to be credible, there would have to be more memory, a read-write tag and variable-length tag reads. It would also need a reader and a system stupid enough and vulnerable enough to allow executable malicious code."

Sue Hutchinson is the director of product management for EPCglobal US, the U.S. arm of EPCglobal, a GS1-sponsored organization working to commercialize EPC technology and RFID standards. She says the security features built into the latest EPC tag and reader standard, Class 1 Gen 2, make the air interface protocol very different than the tags and readers used in the Dutch study.

Studies such as the one done at Vrije University are important because "they keep us thinking about these things, and it's of critical importance," says Hutchinson, "but it's a grand leap to say that [what was shown in the study] could happen to EPC tags and readers."

"We've been taking a very proactive stance at looking at security in the EPC Gen 2 protocol," she says. To strengthen security, the Gen 2 protocol includes two key safeguards: the ability to lock a tag so that only an authorized interrogator can write any data to it, and the use of RF masking, which adds a random number to a tag's ID and requires the tag and reader to exchange what she likens to a handshake before they can exchange any data. These features "make it much harder to introduce a virus into the system," she says, than using the method in the study.

According to a paper written by the Dutch researchers, the group carried out multiple tests of RFID tags made with Philips UHF I-Code SL1 chips, which, according to the paper, had 896 bits of memory. During the tests, the tags were programmed with a number of viruses and other types of malware developed at the university. The group used its own RFID middleware and a number of commercially available databases in its trials. The tests showed that tags could be employed to instigate a number of malicious attacks on the databases and middleware used in an RFID network, including buffer overflow and SQL injection, and even open a back door to the RFID application server.


Attila Kis 2006-03-17 11:03:13 AM
the Virus in RFID tags article indicates wrong approach The article makes one think the industry is taking the wrong approach. It speaks of the defense that the RFID tags don't have sufficient capacity to transmit a virus. The limitation on the capability of the normal tags is not a defense to an attack by a sophisticated attack computer system, which has unlimited capability, sending a virus containing message to the global readers. The limitation is only relevant in (possibly) setting up a defense that the reader won't accept and transmit any information message above a certain number of bytes. Then you address whether the virus can be transmitted within that size message.
Mari Lathrop 2006-03-21 12:08:05 PM
Tag viruses With this issue, as in most situations, perception trumps reality. Many people outside the industry get their news and form their opinions from sound bites. With headlines of identity theft and database hacking a daily staple, negative news from a credible source will be enough to begin grassroots oppostion that gets legislative attention. BusinessWeek just covered this very subject. While I am not qualified to argue the merits, I know enough to suggest that those who can show that tags can be compromised need to be invited to debate our industry experts in an open forum covered by the national press, such as RFID Journal Live. Answering these claims in an industry newsletter will not convince anyone outside our little sphere

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations