Posted on 03/15/2006 9:23:38 AM PST by Ramius
MARCH 15, 2006 (IDG NEWS SERVICE) - Three computer science researchers are warning that viruses embedded in radio tags used to identify and track goods are right around the corner, a danger that so far has been overlooked by the industry's high interest in the technology.
No viruses targeting radio frequency identification (RFID) technology have been released live yet, according to the researchers at Vrije Universiteit Amsterdam in the Netherlands. But RFID tags have several characteristics that could be engineered to exploit vulnerabilities in middleware and back-end databases, they wrote in a paper presented today at a conference in Pisa, Italy.
"RFID malware is a Pandora's box that has been gathering dust in the corner of our 'smart' warehouses and home," the paper stated.
The attacks can come in the form of a SQL injection or a buffer overflow attack even though the tags themselves may only store a small bit of information, the paper said. For demonstration purposes, the researchers created a proof-of-concept, self-replicating RFID virus.
Patrick Simpson, a master's student at the university, needed only four hours to write a virus small enough to fit on a RFID tag, something previously thought unworkable, said Andrew S. Tanenbaum, a professor at Vrije Universiteit Amsterdam. RFID tags can contain as little as 114 bytes of memory, he said.
Tanenbaum expects vendors to be angry about the publishing of the code. Vendors have dismissed the possibility of RFID viruses, saying that the amount of memory in the tags is too small, he said.
But the researchers did take precautions to ensure RFID viruses won't immediately circulate. They wrote their own middleware that mimicked traits of products on the market, said Melanie R. Rieback, one of the paper's authors.
"It's not like we are providing a cookbook for basically wannabe hackers to hack real RFID systems," Rieback said.
The homespun middleware connected to back-end databases from vendors such as Oracle Corp. and Microsoft Corp. along with open-source databases such as MySQL and Postgres, Rieback said. The experiment used RFID equipment from Philips Electronics NV, she said.
"It was actually quite interesting to see that some of the databases were susceptible to some kinds of attacks," Rieback said. "Other ones actually had natural protection mechanisms built in that made them more resistant." continued>>
I sure hope not. The sooner RFID gets exposed for the huge threat it is, the better. I think this is excellent news.
Uh, yeah... OK. And bar codes. Don't forget bar codes. :-)
You cannot hack a bar code.
The cute new word is for that is telemedicine
Can you imagine, drug delivery being RFID capable? You can hack in and kill someone.
ping
Sure you can:
http://www.azalea.com/
There's tons and tons of bar code software packages out there, read em, print em, do whatever you want with them. Can't transmit a virus with them, but I doubt you can really transmit a virus with RFIDs either, too many variables, not enough space. It's a theoretical possibility sure, but as for really doing it we're talking a serious inside job.
|
Have we really sunk to this level in terms of programming?
Some idiot is really writing an app that harvests a piddly amount of data from an RFID tag an he can't even validate it first before he passes it on to lord know how many other COM, .NET, "Where do you want to go today" objects?
Its sad really.
Of course you can. With a sharpie, no less.
Just imagine being able to print your own UPC symbol with more than the allowed number of bars to break into a cash register's computer. This is similar. You can't count on RFID chips to only come from "friendly" suppliers.
Previous bosses have complained about by tendency to use strncpy and manually placing a '\0' at the end of the space allocated for a string instead of just using strcpy and letting the function do it. Taking the shortcut is how buffer overruns occur.
< /programming geek mode>
Fair enough, then I will be tediously more precise. You cannot steal anyone's identity using barcodes. You cannot monitor anyone's activity in any meaningful way using barcodes. You cannot compromise anyone's privacy in any meaningful way using barcodes. You cannot track anyone's whereabouts using barcodes. You cannot threaten anyone's well-being using barcodes. In fact, there is very little that any normal person or entity would want to do that can be achieved by hacking barcodes.
Before Bill Clinton left office, he authorized 2001 an 84% increase in the government's investment in nanotechnology research and development, National Nanotechnology Initiative (NNI) http://clinton4.nara.gov/WH/New/html/20000121_4.html and made it a top priority.
These funds now make available monies for grant projects for:
Focus Areas at a Glance (28)
(more at link)
See my post #15. Use a sharpie if it'll help. ;)
Sounds like a good thing that will help a lot of people.
As far as hacking in and killing someone... they could do that now by hacking into the pharmacy.
Just because something *can* be misused doesn't mean it shouldn't exist. Guns and cars and cameras and hair dye can all be misused. There's risk in all things.
Sure you can, it's harder, you've got to get a hold of something of theirs with bar code (like an AZ driver's license) and hack the data, but it's doable. And you can't do any of that other stuff with RFIDs, maybe in the future but not now, right now RFIDs are for tracking PACKAGES and make shipping a lot easier. People don't have RFIDs, and given the short range of RFIDs most of the nightmare scenarios are technically unfeasable.
PS. And to be sure, I have no problem with RFID so long as it's limited to unrisky uses. It's many of the proposed uses, which incidentally would involve more memory than the amount supposedly inadequate for viruses, that are of concern to me.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.