Three computer science researchers are warning that viruses embedded in radio tags used to identify and track goods are right around the corner, a danger that so far has been overlooked by the industry's high interest in the technology.
No viruses targeting radio frequency identification (RFID) technology have been released live yet, according to the researchers at Vrije Universiteit Amsterdam in the Netherlands. But RFID tags have several characteristics that could be engineered to exploit vulnerabilities in middleware and back-end databases, they wrote in a paper presented today at a conference in Pisa, Italy.
The attacks can come in the form of a SQL injection or a buffer overflow attack even though the tags themselves may only store a small bit of information, the paper said. For demonstration purposes, the researchers created a proof-of-concept, self-replicating RFID virus.
Patrick Simpson, a master's student at the university, needed only four hours to write a virus small enough to fit on a RFID tag, something previously thought unworkable, said Andrew S. Tanenbaum, a professor at Vrije Universiteit Amsterdam. RFID tags can contain as little as 114 bytes of memory, he said.
Tanenbaum expects vendors to be angry about the publishing of the code. Vendors have dismissed the possibility of RFID viruses, saying that the amount of memory in the tags is too small, he said.
But the researchers did take precautions to ensure RFID viruses won't immediately circulate. They wrote their own middleware that mimicked traits of products on the market, said Melanie R. Rieback, one of the paper's authors.
"It's not like we are providing a cookbook for basically wannabe hackers to hack real RFID systems," Rieback said.
The homespun middleware connected to back-end databases from vendors such as Oracle Corp. and Microsoft Corp. along with open-source databases such as MySQL and Postgres, Rieback said. The experiment used RFID equipment from Philips Electronics NV, she said.
"It was actually quite interesting to see that some of the databases were susceptible to some kinds of attacks," Rieback said. "Other ones actually had natural protection mechanisms built in that made them more resistant."
The purpose of the exercise, the authors wrote, is to encourage RFID middleware designers to be more careful when writing code. Back-end middleware can contain millions of lines of source code, and if software faults number between six and 16 per 1,000 lines of code, the programs are likely to have many vulnerabilities, the paper said.
RFID tags are increasingly being used in a variety of industries to track items and give a real-time view of inventories. The tags contain data on a particular object or, in some cases, embedded in animals, and that data is typically stored in a database.
Companies can save money by using the tags to keep closer tabs on their property. However, this "pervasive computing utopia has its dark side," the authors wrote.
RFID systems may be attractive to criminals since the data contained on them may have a financial or personal nature, such as information stored on digital passports. In addition to causing damage to computer systems, RFID malware may have an effect on real-world objects, the paper said.
For example, airports are considering using RFID tags to track baggage. But Tanenbaum warned that this application could pose a large problem if an RFID tag is read and delivers a much larger set of data in return. A false tag on a piece of baggage could exploit a buffer overflow to deliver a virus to the RFID middleware. Once the virus code is on the server, it could infect the databases and corrupt subsequent tags or install back doors -- small programs that allow for the extrication of data over the Internet, Tanenbaum said.
"You can hide baggage," Tanenbaum said. "You can reroute baggage to the wrong place -- all kinds of mischief. That's I think a very, very serious thing that even has national security implications."
Autor: Jeremy Kirk
Quelle: Computerworld, 15.03.2006
