This article was originally published by RFID Update.
March 15, 2006—Researchers affiliated with the computer science department at Vrije Universiteit in Amsterdam have released a paper entitled Is Your Cat Infected With a Computer Virus? asserting that RFID systems are vulnerable to viruses and worms. The paper is being presented today by its author and PhD candidate Melanie Rieback at the IEEE Conference on Pervasive Computing and Communications in Pisa, Italy. Her research was supervised by accomplished computer scientist Andrew Tanenbaum, who authored the Minix operating system, a precursor to Linux.
According to the researchers, conventional wisdom says that RFID tags are impervious to virus infection on account of very limited storage capabilities. There is a further belief that even if virus code could be planted on a tag, that code could not be transmitted “upstream” via an RFID reader into a broader network. This view is flatly contested on the researchers’ website, rfidvirus.org: “Up until now, everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software, and certainly not in a malicious way. Unfortunately, they are wrong. In our research, we have discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be (intentionally) infected with a virus and this virus can infect the backend database used by the RFID software. From there it can be easily spread to other RFID tags.”
The site offers three hypothetical scenarios in which RFID could be used to wreak havoc through the efforts of a lone hacker equipped with an off-the-shelf RFID reader. In the first scenario, the hacker attaches a bogus, intentionally infected tag on a jar of peanut butter that, when scanned at checkout, infects the retailer’s system. The second scenario targets a veterinarian’s database when the hacker takes his pet cat — carrying an infected, subdermal ID tag — for a checkup. And in the third, most dire scenario, the hacker compromises an airport by attaching an infected tag to the luggage of an unwitting fellow passenger. The virus would pass from that one piece of luggage, into the baggage-handling network, and on to all pieces of luggage at that airport. Those bags would travel to other airports, and the virus would spread. The consequent havoc could, among other nightmares, allow “terrorists [to] hide their baggage from airline and government officials.”
These hypotheticals drive home a simple, sobering point: every read point is a potential opening for a would-be saboteur.
The researchers are not apocalyptic in their report, however. Indeed, while they have sections on their site entitled How to Write an RFID Virus and How to Write an RFID Worm, they also offer prescriptions in the How to Defend against RFID Malware section.
Their defense for providing guidance on performing the exploits is simple: it is the only way for the industry to take the threats seriously. “When talking to people in charge of RFID systems, they often dismiss security concerns as academic, unrealistic, and unworthy of spending any money on countering, as these threats are merely ‘theoretical.'” The researchers hope to prevent RFID-based viruses and worms by calling the industry’s attention to it now, and offering guidance on how to responsibly and effectively proceed. “Fortunately, the threat of infection can be countered using standard measures,” says the press release. “It is therefore imperative that RFID system developers and users check the security of their systems now, before they are put to large-scale use.”