06/03/22 Conceptual virus could create havoc at firms using RFID tags

Concerns about the security of radio frequency identification (RFID) and virtualisation systems were raised last week, as researchers demonstrated vulnerabilities to malware infection in both technologies.

It had been thought that the small memories of RFID wireless tags meant viruses could not infect them. But last week researchers from Vrije University in Amsterdam showed that tags may be vulnerable.

The research team wrote an RFID tag virus using only 127 bytes, and explained how it might affect firms. For example, an infected tag on a suitcase could cause havoc with airport databases if the virus managed to spread itself.

As RFID deployments grow, the likelihood of attack increases, said Greg Day of security vendor McAfee. But he argued that the problem is mainly a back-end issue. "The RFID tag is just dumb data storage. The reader sucks that data up and it's how that gets processed in databases that could cause problems."

Adam Jura of analyst Datamonitor said these proof-of-concept attacks show that "tag vendors, reader vendors and middleware providers need to establish partnerships to reassure users they can secure this technology".

Also last week, researchers from Microsoft and the University of Michigan demonstrated a new attack against virtualisation software – another technology on the edge of mainstream adoption. The attack installs a rootkit beneath a virtualised server or desktop operating system, hiding it from security tools

The Industry Reacts to RFID Virus Research
Monday March 20th, 2006
Last week's proclamation by a group of computer scientists that RFID tags represent a vehicle for the transmission of computer viruses precipitated a frenzy of headlines from both within and without the RFID industry. Executives at leading RFID companies were bombarded with calls from journalists, and industry association AIM Global was compelled to release a statement addressing the issue. Even the New York Times reported the story. Below are summarized the key takeaways of the whole episode.

First, and most important, the scenarios presented by the researchers were widely considered so contrived as to be unfeasible. A key premise of the researchers' assertions is that the bits and bytes stored on RFID tags would be interpreted by readers as executable instructions. The reality is that tag contents are never interpreted as executable code; they are interpreted only as simple raw data, like numbers. For an RFID system to interpret tag data otherwise would require a poor, insecure design that breaks the most basic and obvious rules of system engineering.

Which raises another point. The potential vulnerability is in the system design; there is nothing inherent to RFID tag technology that makes it vulnerable. As Julie England, Texas Instruments' general manager of RFID, said, "This is the kind of issue the software industry has seen for years." She continued, "Pointing out that poorly written backend software could weaken the RFID application as a whole .... is stating the obvious." As this recommended explanation by Ben Giddings, an engineer at RFID reader manufacturer ThingMagic reads, "RFID tags, just like barcodes, are just data. Nothing more than data. If you intentionally design a system to be vulnerable to certain data, then intentionally expose the system to that data, then yup, you'll have a problem."

Even if the particular scenarios outlined by the researchers are dismissed as academic, they raise the question of whether the eventual ubiquity of RFID tags will represent fertile ground for technological sabotage. While it is too early to draw definitive conclusions around this prospect, certain fundamental characteristics of RFID suggest that it will not be a very attractive target. Its capabilities for the transmission of data are not as advanced as, say, email. Noted Impinj CEO William Colleran, "In email, I can embed things that include scripts and application code. In RFID, everything on the tag is by definition data and not instructions."

Furthermore, email is already widespread to an extent RFID might never be. Even assuming the boldest projections for RFID tag growth, the number of emails sent daily in 2006 is vaster than the number of tags that will be in production five years from now. "I don't see it," said Colleran. Why would hackers focus on RFID "when they have a much more powerful mechanism through the web and email?" Ron O'Brien, senior analyst with security firm Sophos, pointed to evidence validating that logic: "We're starting to see a little more interest in instant messaging and mobile phones, but RFID doesn't appear to be the next frontier for virus writers to pursue."

Another question indirectly raised by last week's developments is how attentive to security the industry has been to date. With price reductions a leading, collective goal of all RFID stakeholders, one might wonder if the industry has skimped on security features whose inclusion adds to cost. Not so, says those closely involved. The Gen2 standard is a prime example. "The standards bodies, EPCglobal in particular, have actually taken a particularly conservative approach to security," said Colleran. "Going from Gen1 to Gen2, we actually saw a significant increase in security." Sue Hutchinson, EPCglobal director of product management, was clear: "We've been very proactive in addressing security for our membership... Security has been paramount in all of our considerations." She noted that "the experiment they staged in the lab didn't involve EPC technologies at all."

So if the researchers' conclusions are so flimsy, why all the attention? Why, hype, of course. The inclusion of two technology buzzwords -- "RFID" and "security" -- in one headline is eye-catching. Despite all that, most acknowledged that the paper served a good purpose. As Hutchinson said, "It's a reminder about how vigilant we need to continue to be in addressing security."