It’s hard to imagine that a company whose reputation depends on trust could issue a report littered with exaggeration and unsubstantiated claims, but that’s exactly what security software vendor McAfee has done. Its April “Sage” report suggests radio frequency identification tags could be hacked in such a way as to expose the data in a company’s back-end database. However, the report presents no evidence whatsoever, doesn’t even explain how this could be done and goes on to raise other bogus privacy concerns as well.
The report, issued semiannually by McAfee Avert Labs based on its research into high-tech threats, reads, in part: “RFID readers could contain vulnerabilities that would allow RFID chips to contain exploits to steal information from backend databases.” Okay, technically, I guess you could hack an RFID tag that could take advantage of some undiscovered vulnerability in an RFID reader, but it’s also true that a clever hacker could write a code so malicious and fast-spreading it could bring down all of the world’s major computer networks.
An exploit is a bit of code allowing a hacker to gain access to sensitive information. It’s possible the report’s claim about RFID having such a vulnerability might be based on a statement made back in 2004 by Lukas Grunwald, a German consultant who said: “It is only a matter of time before someone puts a root exploit on one of these tags and hacks into your supply chain” (see RFID Hack Could Allow Retail Fraud).
To date, I haven’t seen a single shred of evidence, anywhere, that would substantiate these claims, and I truly doubt it is even possible. No, I’m not a software expert, but tags store flat data, not executable programs, s it’s hard to see how you could use tags to penetrate systems containing RFID data. And even if someone were able to exploit a reader’s vulnerabilities, most readers can be upgraded remotely so the loophole would be closed. (Yes, another might be found, and we’d have the kind of ongoing battle we have with PCs.)
Tomorrow, I’ll take a look at the privacy issues raised in the “Sage” report.