Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

RFID & Viral Vulnerability

CmdrTaco posted more than 8 years ago | from the alliteration-is-fun dept.

136

Arleo writes "Student Melanie Rieback and others, part of a Tannenbaum research group in Amsterdam, have proven that RFID-tags are vulnerable for infection with viruses. In a research paper titled "Is Your Cat Infected with a Computer Virus?" is shown how an altered RFID tag can be used to send a SQL injection attack or a buffer overflow. They describe on the rfidvirus.org website possible exploits of this types of viruses: from altering the backoffice of a supermarket to spreading RFID viruses by infected bags on airports."

cancel ×

136 comments

CmdrTaco shows viral vulnerability (0, Troll)

Sexual Asspussy (453406) | more than 8 years ago | (#14923467)

sorry, Michael

MOD PARENT UP YOU ASSCLOWNS!!!! (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14923474)

I coul dnot pissobly agree more with the above post!

Love Always,
News For Turds

Re:MOD PARENT UP YOU ASSCLOWNS!!!! (1)

Proctal Relapse (467579) | more than 8 years ago | (#14923522)

N4T my nigga! holdin it down at -1.

Re:MOD PARENT UP YOU ASSCLOWNS!!!! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14923574)

JESUS CHRIST IT'S BIZARRO SEAFUSS!!!!!!!!!!


                   

    • I'M GETTING THE HELL OUT OF HERE

Bright Future for RFID malware. (4, Insightful)

TripMaster Monkey (862126) | more than 8 years ago | (#14923471)


Fascinating stuff, but it seems that the game plan for protecting against RFID malware is basically the same as protecting against more traditional malware...namely, enforcing proper bounds checking, enforcing proper database permissions heirarchies, disabling back-end scripting languages, isolating the vulnerable RFID middleware server in a proper DMZ environment, etc.

In other words, RFID malware has just as bright a future as the more traditional flavor, since most developers and administrators can't be bothered to take these elementary precautions.

Re:Bright Future for RFID malware. (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#14923531)

First reply to TMM's first post.

Re:Bright Future for RFID malware. (4, Insightful)

tgv (254536) | more than 8 years ago | (#14923553)

Not only this, but a single check on the length of the tag would be sufficient against this attack. So in well-designed software there would only be one place where to check for length. It's not like certain well-known operating systems, that have unguarded buffers in dozens of places. That seems to diminish the risk quite a lot. Not to mention that any organization that takes its security serious, will probably set up a warning system for malicious RFID tags, which will expose attackers quite quickly, since they're likely to be physically nearby.

Re:Bright Future for RFID malware. (3, Insightful)

gunnk (463227) | more than 8 years ago | (#14924109)

Would they have to be nearby?

I see a real threat for anonymous attacks:

Attacker buys RFID-tracked product at store.
Attacker alters RFID-tracked product to allow for attack.
Attacker returns the product to the store shelf and waits...
Joe Sixpack checks out with infected product.
Clerk scans product and infects store database.
All prices for all products now set to $0.

Re:Bright Future for RFID malware. (1)

Danse (1026) | more than 8 years ago | (#14924559)

Clerk scans product and infects store database.

All prices for all products now set to $0.


Again, any decent software developer knows that you never trust outside input. You always check everything that comes in. Follow that simple rule and your software is secure from these kinds of attacks.

Re:Bright Future for RFID malware. (1)

Fred_A (10934) | more than 8 years ago | (#14924882)

Except we all know how many decent software developers will be employed to write this kind of application...

The software will likely be wide open from this kind of attack.

Re:Bright Future for RFID malware. (1)

Loether (769074) | more than 8 years ago | (#14924180)

>which will expose attackers quite quickly, since they're likely to be physically nearby.

Good point. If I wanted to infect a system say at wallmart. I'd just place the infected RFID tag on a product on the shelf and wait for someone to buy it or inventory it. I'm long gone by the time the infection attempt takes place.

Re:Bright Future for RFID malware. (1, Interesting)

Alex P Keaton in da (882660) | more than 8 years ago | (#14923561)

Think about the shoplifting possibilities- Once RFID id used to monitor what is in your shopping cart, and you are automatically charged (because your credit card has RFID) as you walk out of the stores (No more checkout girl).
Write a little virus that defaults all your mechandise to 99cents an item, and you are good to go. This would of course only work with items worth more than 99cents, like steaks and electronics. Defaulting Bubblegum to 99cents would end up lamking you lose money.

Re:Bright Future for RFID malware. (0)

Anonymous Coward | more than 8 years ago | (#14924179)

MOD PARENT UP!
Seriously, the overrated mod is getting overused. People seem to use it to mod down someone they don't like, or a post they don't agree with, because overrated can't be metamoderated.
MOD PARENT UP!

Re:Bright Future for RFID malware. (5, Funny)

gutnor (872759) | more than 8 years ago | (#14923594)

I imagine the bright future ...

I'll have too explain my dad to not to download whatever crap on internet, never reply yes when a crap want to install something without asking me first and now ...
I need to ask him to check the ServicePack version on his six-pack and explain him that bringing russian vodka home can wipe out his harddisk when he turns the TV on?

Rudy Rucker was right (0, Offtopic)

Joseppi Blauinski (522353) | more than 8 years ago | (#14923649)


Lameness filter encountered. Post aborted! Reason: You can type more than that for your comment.

Re:Bright Future for RFID malware. (2, Interesting)

Jeff DeMaagd (2015) | more than 8 years ago | (#14923784)

That's quite a lot of work though, not something I would call "simple", especially for overworked and underpaid IT workers. Normally I wouldn't be concerned because most times, RFID should only be a serial number, but if even image files can cause trouble, then I suppose anything can.

Re:Bright Future for RFID malware. (1)

Beryllium Sphere(tm) (193358) | more than 8 years ago | (#14924820)

>basically the same as protecting against more traditional malware

That really is a good insight. The RFID issues that Tanenbaum and company pointed out are just new examples of the general problem, software reading untrusted data.

Re:Bright Future for RFID malware. (1)

LWATCDR (28044) | more than 8 years ago | (#14924989)

sql injection attack?
How would you let something like that happen? There is a ton of code to prevent that all over create not to mention that I think every database on the planet has a quote function just to prevent that kind of thing.
Buffer overflow? just what data entry method is not vulnerable to a buffer overflow if the programmer is careless?
I would have been shocked if RFID was magically immune to programmer induced security breaches.

Oh no!!! (1)

AnomaliesAndrew (908394) | more than 8 years ago | (#14925261)

With Bluetooth enabled vehicles and RFID national/state ID cards coming into the picture, this might be the first time where a drivers license actually causes a person's car to crash! (pun)

-@

Fir Trees? (3, Funny)

eldavojohn (898314) | more than 8 years ago | (#14923473)

Student Melanie Rieback and others, part of a Tannenbaum research group in Amsterdam, have proven that RFID-tags are vulnerable for infection with viruses.

American oak tree research groups and Swedish aspen tree research groups have responded by working around the clock to fix this security hole. Never before have groups centered on deciduous trees been so involved in computer security.

It's hard... (1)

jesterpilot (906386) | more than 8 years ago | (#14924926)

the difference between 'Deutsch' and 'Dutch'.

My question is why? (3, Insightful)

danpsmith (922127) | more than 8 years ago | (#14923498)

I don't understand why we _have_ to use RFID at all. I understand it may make some things easier, but aren't we efficient enough? In these days where security is becoming more and more of an issue, why even creating another security issue when the old way still works. Is tracking something via a barcode scanning system really so inefficient that we need RFID? I don't understand, we seem to be pretty efficient in most industries already, why do we need to squeeze another cent an hour out by using some new and relatively unproven technology when the old way works just fine?

Re:My question is why? (2, Informative)

Anonymous Coward | more than 8 years ago | (#14923546)

You have to physically move packages to see the barcode. So doing stock counts etc, and tracking stock through the supply chain would be faster.

Re:My question is why? (5, Interesting)

karnal (22275) | more than 8 years ago | (#14923661)

My company is currently trying to work towards a whole-house RFID setup (we sell consumer products.)

Problems we've had (in talking with the engineers):

1. Our product is in metal containers (within cardboard). Bad for RFID.
2. Placement is CRITICAL. Especially in a plant environment, you need to know where the RFID tag is so you can read and write it quickly; in addition to minimizing #3
3. Outside RF. We've had instances to where in a test lab, we can read and write and verify the write within 80ms, as a box is cruising by on the conveyor. Once we transition to the plant, however, it gets a little more shaky, as you have less control over where the conveyor motor is, more flourescent lights, and oh yea, there's still those damn metal cans.

RFID has a long way to go from what I've been told by our engineers. It's not as dead simple as you might think -- of course, for handheld scanners though, which require human intervention - may be 10 times easier since humans can modify the environment to see fit on the fly.

Re:My question is why? (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14924802)

We also are placing the tags on metal objects. If you have air and cardboard, it should not be a problem. Also, has your team looked at the new ceramic and foam backing to place the tag directly on the object?

We are using active tags for WIP and are placing the tags directly on the objects. These tags are expensive (+-$20), but we reuse them. We use passive tags on the shipping labels.

Also, one more thing to look out for - the noise level. Certian parts of our plants were just too loud to use passive RF technology.

By the way, is your company using integration services? If so, who?

Re:My question is why? (0)

Anonymous Coward | more than 8 years ago | (#14923570)

Because this brings us that much closer to the Mark of the Beast(tm), which is further proof that the end times are near. The closer we are to the end times, the more powers are given to Herr Bush to fight the "good fight." Simple really.

Re:My question is why? (1)

GundamFan (848341) | more than 8 years ago | (#14923581)

Well there are a couple of advantages that I know of to RFID

1. Inventory, beeing able to know what is in your store and where it is in a retal setting.

2. Convinence, things like being able to park a cart next to a teller and have all the items charged instantly.

3. RFID is already used sucessfuly for tracking pets and could be used to store medical data in people with alergies or other specal medical requirements, along with other personal data if the individual choses.

Let me say I'm scared of some of the potental abuses to, but there are upsides to this.

Re:My question is why? (4, Insightful)

Gr8Apes (679165) | more than 8 years ago | (#14923638)

Well there are a couple of advantages that I know of to RFID

1. Inventory, beeing able to know what is in your store and where it is in a retal setting.


Actually, according to a recent study, RFIDs are only about 90% accurate at best, for large palettes whizzing by on conveyor belts in a warehouse setting.

2. Convinence, things like being able to park a cart next to a teller and have all the items charged instantly.

See #1. I don't know any retailer that would abide by less than 99.999% accuracy. RFID does not meet this requirement at all.

3. RFID is already used sucessfuly for tracking pets and could be used to store medical data in people with alergies or other specal medical requirements, along with other personal data if the individual choses.

Let me say I'm scared of some of the potental abuses to, but there are upsides to this.

Now you're getting to the real meat of why some want RFID to take off. It's much easier to convince someone to accept an injection of a little chip than to be tattooed with a bar code, Henry Rollins not withstanding.

While it may be beneficial, the very reason it's beneficial is also why it's bad in an Orwellian sense. There is no way for this to be beneficial without the bad. You can't cover up an RFID, or make it inoperative, without impairing its usefulness when needed.

Re:My question is why? (3, Insightful)

gunnk (463227) | more than 8 years ago | (#14924199)

2. Convinence, things like being able to park a cart next to a teller and have all the items charged instantly.

See #1. I don't know any retailer that would abide by less than 99.999% accuracy. RFID does not meet this requirement at all.


If you think this is true, you need to check your receipts and count your change more frequently.

I've never seen a shop that manages 99% accuracy... the clerk fails to scan an item (doesn't notice it didn't beep), the item is in the database with the wrong price, the item scans twice, the item is missing entirely (so the clerk asks you to give them the price)...

99.999%???

Re:My question is why? (1)

Gr8Apes (679165) | more than 8 years ago | (#14924358)

My receipts are certainly more than 90% accurate. Do you think retailers would accept no better than 90% as a replacement? How about 95%?

If they're going to go with something as expensive as a retrofit of RFID will be, I'm guessing they're going to want 99% or better.

Re:My question is why? (2, Interesting)

Anonymous Coward | more than 8 years ago | (#14924558)

Retail scan percentages in America at the moment are around 95%. That is, for every 100 items scanned via barcode, 5 items are manually typed in as generic.

I was talking to a software provider for the supermarket sector, and at a conference he was recently at, the people working on RFID technology were happy to get 60% scan rate in a real world environment.

It's likely the tech is going to take another 5-7 years before it's up to the 95%+ scan rate we need to function and trust our inventory.

Re:My question is why? (4, Insightful)

ookabooka (731013) | more than 8 years ago | (#14923592)

Why did we switch to barcodes when you could just bring it up to the clerk and they would punch in the price? Didn't the old way work? It is definately possible to manipulate barcodes to do some nasty things. Put a barcode from an "IPOD headphone" on an "IPOD Mp3 Player". If the clerk doesnt notice, you just got an Ipod for 10 bux. Obviously I wouldn't advocate doing this, but it goes to show that barcodes are anything but secure. If anything they are easier to manipulate, all you need is a photocopier and some tape. Sounds to me you are just hesitant to change, which is understandable, but IMHO RFID's would give us all a lot of nifty possibilities, which would outweigh the risks. The only problem I see is that it would be harder to manipulate an RFID system, meaning that people would trust it more, meaning that those who do have the knowledge to manipulate it are more likely to get away with it and with larger pay-offs to :-/

Re:My question is why? (1)

Maxo-Texas (864189) | more than 8 years ago | (#14924752)

Actually the checkouts are getting smarter these days.

Say that the ipod headphones weighs .307 pounds.
And that the ipod weigths .794 pounds.

An increasing number of checkouts will catch that. I don't know how sensitive they are but my gut feeling is that it is fractions of an ounce based.

Why we switched - save you money (2, Informative)

ACMENEWSLLC (940904) | more than 8 years ago | (#14924858)

These are all RFID in action saving you money. They save you money because they save truckers money;

http://www.illinoistollway.com/portal/page?_pageid =57,1302257,57_1302270&_dad=portal&_schema=PORTAL [illinoistollway.com]

http://www.ezpassde.com/ [ezpassde.com]

http://www.sunpass.com/ [sunpass.com]

http://www.prepass.com/ [prepass.com]

Weight in motion, which usually uses RFID;

http://science.howstuffworks.com/question626.htm [howstuffworks.com]

We've been doing RFID since 1996. It's not new technology. We are just talking about new applications.

Re:My question is why? (1)

samureiser (903923) | more than 8 years ago | (#14925179)

Because you can just as easily switch price tags. I'm willing to bet most people working the registers don't have the prices of every product in their store memorized.

Furthermore, scanning saves you time on line. It doesn't make a huge difference for 3 items, but if you're at the grocery and purchasing dozens of items trust me - you notice.

Of course, this doesn't address the issue of bar codes vs. RFID... I'll leave that discussion to much more qualified /.'ers.

Re:My question is why? (2, Interesting)

FutrDreams (812828) | more than 8 years ago | (#14923816)

Well corporations will push for this for efficiency but think of possible consumer uses. Say you have portable RFID scanner and a database provided by an organization. This organization could be Greenpeace, Consumer Reports your favorite wine review site, etc. So I walk into the store and key into my scanner, show me all coffee products that are Fair Trade Certified. Show me if they have any one of my favorite 10 wines, etc. RFID tags for home use -buy a pack of say 100 tags and tag things in your house. Where's the TV remote? Take a walk w/ a scanner and oooh there it is. Moving? Tag your stuff, put it in boxes. Done. What's in my pantry? Scan it. What drinks can I make w/ things in my bar? You get the point. There are some issues w/ creating the database, and privacy issues for corporations, but I'm sure there's a place for new companies to sell that info. -Futrdreams.

Re:My question is why? (1)

lord sibn (649162) | more than 8 years ago | (#14923857)

honestly, my answer to the question "aren't we efficient enough" raises a few questions in my mind. i work in logistics, so to speak. manually finding and scanning barcodes takes three times as long as the alternative: electronic invoicing (where the supplier sends an invoice over the computer). not to mention the element of human error. any number of things can throw off the invoice quantities, and such errors must be (at high cost) hunted down and resolved. to you, upcs are ambiguous. to me, they are a pain in the ass.

Re:My question is why? (1)

couchslug (175151) | more than 8 years ago | (#14923971)

"Is tracking something via a barcode scanning system really so inefficient that we need RFID?"
Yes. When you ship stuff you can only optically scan the surface.
"Stuff" has depth. RFID beats manual unstacking, restacking, re-covering, etc.
External barcodes reflecting bulk contents are invalid when an item is removed but the external tag is left unchanged. RFID offers immediate inventory adjustment with each bulk scan. It goes more than one link deep, so to speak.

Re:My question is why? (1)

oceanofapathy (945395) | more than 8 years ago | (#14924005)

Capacity. Would you want to deal with 40" barcodes? Sure barcode density can be increased, but you're still relying on the visible spectrum for data transfer. And consider that barcodes must be relatively flat and not damamged. RFID is a great technology. No, we are not effecient enough without it. If that's your train of thought, I'll be laughing at you while you ride your horse to work.

Re:My question is why? (0)

Anonymous Coward | more than 8 years ago | (#14924929)

Unfortunatly, we are not efficient enough. Here's my retail perspective on RFID...

I use to work at Staples and on average we would get 7-10 pallets of merchandise 2-3 times a week. It would take us approximatly 3-5 hours to break down an entire shipment and a full count of inventory could not be completed until the end.

With RFID, the minute the pallets came through the doors they would be scanned and a full inventory could be taken in seconds as opposed to manually scanning barcodes on each item to tally an inventory count.

Furthermore, taking regular inventory counts once the merchandise is in the store poses the same problems: lots of workers running around the store manually scanning/counting items - many man-hours worth of work (8+ hours most of the times I took part in it). RFID would reduce not only the number of hours it would take to do a full inventory, but also the number of people required.

And lastly, finding items once they are in the store. If you've ever been to any store looking for an item only to find the shelves where the item normally are to be empty, then asked someone if they could 'look in the back' to see if they have any extras. The number of hours wasted looking for stray items which are 'in-store' according to the computer is astounding. With RFID you can simply push a button to see if an item is actually present in the store or if the inventory count is incorrect and there are actually no items left. And from what I've read, they are working on (or have worked out) a means of triangulating RFID tags to actually locate items, again reducing the time it takes to find stray merchandise.

We use RFID in cars on toll roads because having everyone zoom through is far more efficent than the backups that occur when people have to stop at a tollbooth to pay the fee.

Barcodes are nice and simple, but they require individual scans. RFID can scan entire shipments all in one go.

Will this affect me? (2, Interesting)

Onymous Hero (910664) | more than 8 years ago | (#14923501)

My company is rolling out RFID badges for all staff to streamline our security and help reduce the amount of late employees etc - is this something that could be a problem or is it just theoretical?

Re:Will this affect me? (2, Interesting)

AnonymousPrick (956548) | more than 8 years ago | (#14923549)

My company is rolling out RFID badges for all staff to ... help reduce the amount of late employees etc...

I'm just curious, will the company also compensate the employees who are working more hours - even if they are coming in late?

I know, if you said something like this, they'd call you in and tell you "what a bad attitude you have." or that "you're not a team player."

Yeah, I'm bitter....fucking corps...

Re:Will this affect me? (1)

Onymous Hero (910664) | more than 8 years ago | (#14923562)

All employees are subject to regular pay reviews and these statistics will be taken into account, yes.

Re:Will this affect me? (3, Insightful)

TripMaster Monkey (862126) | more than 8 years ago | (#14923619)


I think what he's asking is: does the badge record the leaving time as well as the arrival time? This is a problem where I work as well...the badge records when you come in, but doesn't record when you leave, so it doesn't matter if you stay late to finish a project...all the management cares about is when you got there in the morning.

I don't work late anymore.

Re:Will this affect me? (1)

pushf popf (741049) | more than 8 years ago | (#14924177)

I'm just curious, will the company also compensate the employees who are working more hours - even if they are coming in late? I know, if you said something like this, they'd call you in and tell you "what a bad attitude you have." or that "you're not a team player." Yeah, I'm bitter....fucking corps...

Don't be bitter. Life is too short to suck

Let them do what they want, you do what you can do without making yourself crazy, and if in the end, they don't like it, you can go find a better job, or they can fire you and you can collect unemployment and then get a better job.

No employer can abuse you any more than you're willing to accept. I got laid of from a crappy job a couple of years ago where I was a "slacker" because I was only working 9am until 9pm, not 8am to midnight like most of the others.

Best thing that ever happened to me. I got a month of paid vacation in the middle of the summer (unemployment), then got a much better job with normal hours.

Wait... (1)

GundamFan (848341) | more than 8 years ago | (#14923504)

Realy how is this diffrent from an email virus? it's not like they can reprogram "good" RFID tags into "bad" ones can they?

Re:Wait... (1)

TheLogster (617383) | more than 8 years ago | (#14923708)

If the bad RFID tag infects a system that has the right "bits" attached to write RFID tags. The it would be possible for the infected system to write out new bad RFID tags, or event rewrite good RFID tags - turning them bad....

Re:Wait... (1)

GundamFan (848341) | more than 8 years ago | (#14923759)

I see... so really all you need to do is secure the scaning computers from the attack just like a traditional virus. It was unclear to me if the tags could talk to each other, I was prety sure they couldn't.

No wonder people get scared... if somone with a good grasp of computer tech can get confused here imagine how your grandparents fell.

haven' read the article but... (0)

Anonymous Coward | more than 8 years ago | (#14923507)

April 1st is still a couple of weeks away

Virus? I think not. (3, Insightful)

uniqueUser (879166) | more than 8 years ago | (#14923511)

I understand that a virus could preform an SQL injection or a buffer over run, but these activities are not what defines a virus.

In computer security technology, a virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents...-Wikipedia [wikipedia.org]

Re:Virus? I think not. (3, Interesting)

TripMaster Monkey (862126) | more than 8 years ago | (#14923563)


If the SQL injection or buffer overrun instructs the middleware system to overwrite all RFID tags subsequently scanned with the exploit code, that's pretty self-replicating, isn't it?

Re:Virus? I think not. (2, Informative)

StupidKatz (467476) | more than 8 years ago | (#14923648)

AFAIK, at this point, RFID tags are WORM. Trying to wirelessly *overwrite* an RFID chip would, as I understand it, do nothing other than potentially fry the chip, due to the way the chips are made - they don't have any write capability, so it would be akin to trying to re-write a pressed CD with a sooped-up laser.

At that point, I'd be more afraid of the EM emissions than any RFID dastardliness.

Re:Virus? I think not. (1)

tomstdenis (446163) | more than 8 years ago | (#14923923)

They are just supposed to be unique identifiers. For all it matters they could be random strings of 128-bits.

The point is you use the RFID tag as a key in your database.

Say I receive 12 widgets from a company to put on my shelf. Each widget has an RFID tag. I enter each of them into my database. Now as I sell them they're scanned the tag is used to search the database [e.g. it's the key] and I mark it as gone.

The actual value of the tag doesn't matter so long as it's unique. E.g. two widgets don't have the same ID. So for all intents and purposes you could order a box of 5000 random RFID tags and make good use of them.

Tom

Re:Virus? I think not. (0)

Anonymous Coward | more than 8 years ago | (#14924317)

Nope, there are rewritable tags but they are more expensive than read only ones.

Re:Virus? I think not. (1)

uniqueUser (879166) | more than 8 years ago | (#14923868)

Yes, if it could some how insturct the reader to copy instructions to other tags, then yes, I would define that as a virus. But that takes more than just simply sending an SQL injection or over running some buffer. Tags can be build for read/write, so this could become a possiblily.

Re:Virus? I think not. (0)

Anonymous Coward | more than 8 years ago | (#14924961)

Yes, but then that would be a software virus. RF technology is not the all ending technology. These tags are really not that "smart". They carry a "key" and some of the more expensive ones can carry environmental info (temperture). It is the software that pulls the "trigger".

So, keep your network safe and the tags will fall in line. They only do what you tell them to.

Re:Virus? I think not. (3, Informative)

farker haiku (883529) | more than 8 years ago | (#14924320)

virus is a self-replicating program that spreads by inserting copies of itself into other executable code

From the linked pdf: To prove our point, this paper will present the first self-replicating RFID virus.

So, um, yeah. Maybe, just maybe, you should RTFA. I know, I know. Pipedream.

Mighty If-fy (5, Insightful)

Billosaur (927319) | more than 8 years ago | (#14923518)

From rfidvirus.org: Here is where the trouble comes in. Up until now, everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software, and certainly not in a malicious way. Unfortunately, they are wrong. In our research, we have discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be (intentionall) infected with a virus and this virus can infect the backend database used by the RFID software. From there it can be easily spread to other RFID tags. No one thought this possible until now. Later in this website we provide all the details on how to do this and how to defend against it in order to warn the designers of RFID systems not to deploy vulnerable systems.

So to sum up, if some programmer doesn't do his/her job, the RFID tag they plan on implanting in our passports could be used as delivery devices to compromise computer systems around the globe.

I'm going to rate this a pretty big if, though, as we know from all the patching going on, the probability is very high. RFID software is going to have to be thoroughly tested and watched like a hawk. Undoubtedly there's going to come a point where if one or two of these viruses get out and something newsworthy happens (airport computers crash, Citigroup gets credit card data stolen, etc.), the whole idea of RFID tags everywhere is going to get a serious black eye.

Re:Mighty If-fy (0)

Anonymous Coward | more than 8 years ago | (#14925162)

So to sum up, if some programmer doesn't do his/her job, the RFID tag they plan on implanting in our passports could be used as delivery devices to compromise computer systems around the globe.
Well, there goes another good plan for world domination. Darn.

G.W.

Silly Government, technology can be hacked! (1)

Attis_The_Bunneh (960066) | more than 8 years ago | (#14923527)

I believe I was discussing such scenerios with friends before and considered that one could easily pass viruses this way, especially if the RFID chips are attached to other networks. Oh joy, proof that the more control the idiots in government try to squeeze the less secure they become each time. :)

-- Bridget

Porterhouse steaks at last! (2, Funny)

smooth wombat (796938) | more than 8 years ago | (#14923530)

...from altering the backoffice of a supermarket...

Cashier: Um, $1 for 2 steaks? That can't be right.
Me: Sure it is. Look at the sticker. 50 cents a pound. The steaks weigh two pounds thus $1 for two steaks. Mad cow and all that.
Cashier: Ok, if the sticker says so, it must be right. *scan* *beep!* *scan* *beep!* *scan* *beep!*

Re:Porterhouse steaks at last! (1)

Opportunist (166417) | more than 8 years ago | (#14923687)

Considering that with RFID, the wet dream of supermarkets is that they don't need cashiers anymore but you just drive by with your cart and the (also RFID'd) CC in your wallet, I think that problem won't exist.

Re:Porterhouse steaks at last! (4, Insightful)

smooth wombat (796938) | more than 8 years ago | (#14923791)

This may be true but I still pay by check though I'm considering moving to cash, just like I do for gas. Cash only.

Yeah, it drives the credit agencies nuts because they can't track my credit history because I almost never have a credit bill (excluding my monthly ISP charge). The best they can do is see that I pay all my bills (electric, cable, etc) on time.

Merchants are certainly stymied because they can't gather enough information on me so they can't send me their snail mail spam.

No, I'm not paranoid. I just hate debt. Debt is evil. It sucks the life out of ones finances and inhibits the accumulation of wealth.

Granted, the current administration doesn't understand this but that's a whole other issue.

Re:Porterhouse steaks at last! (3, Insightful)

Opportunist (166417) | more than 8 years ago | (#14923852)

In 2 years you'll get a discount for paying with your card (or pay more for cash, even though they'll still call it a discount).

In 5 years you won't get anything at a huge supermarket chain anymore without card. Won't work? People will refuse to shop there? Think of some of the huge outlets that only let you IN when you got a card and go figure.

Awesome line (4, Funny)

nexcomlink (930801) | more than 8 years ago | (#14923533)

"the virus on its tag infects the supermarket's product database, potentially wreaking all kinds of havoc such as changing prices."

Free beer anyone?

Re:Awesome line (1)

bloobloo (957543) | more than 8 years ago | (#14923629)

Only if it is free as in speech too. :-)

user input (4, Insightful)

mtenhagen (450608) | more than 8 years ago | (#14923555)

An RFID tag is the same as any user input and can not be trusted. When your applications are programmed with this in mind from the start this shouldnt be a problem.

But ofcourse there are nowadays lots of websites which are vurnerable for sql injection and similiar hacks. Even google had a cross site scriptiog exploit.

And in other news (1)

dan the person (93490) | more than 8 years ago | (#14923996)

Security researchers have discovered that accepting input from a webpage can expose you to viruses if your webserver software is vunerable to viruses.

Virus Virus (1)

poeidon1 (767457) | more than 8 years ago | (#14923556)

everywhere, but not a single one which is in my control.

Newcastle Brown Ale RFID (2, Funny)

digitaldc (879047) | more than 8 years ago | (#14923557)

I swear it's on sale! $9.99 a case, just check the RFID tag!

I'll take 10 please.

Implications for prices (1)

doktorstop (725614) | more than 8 years ago | (#14923560)

Totally fascinating... so in the near future we can expect the airport/supermarket security to immediately arrest anyone with a working IPAQ =)
Seriously thou, think of the implications! You could actually increase all the pricetags at your local Wallmarrt...

Ai Ai (1)

towsonu2003 (928663) | more than 8 years ago | (#14923590)

"Is Your Cat Infected with a Computer Virus?"
Call Schwarzenegger now, before my cat intentionally infects my microwave oven, which then will try to eat my dog and pass the infection along to other microwave ovens as well as american passports!

Pure FUD (4, Insightful)

Anonymous Coward | more than 8 years ago | (#14923597)

Only if the dimwits writing the RFID reading software are stupid enough to treat all rfid readings as 100% trustable OR does something stupid like allow scripting.

I can see a buffer overflow if your rfid is capable of generating a string massively larger than a normal rfid.

Outside of a SQL injection to get past a really poorly designed RFID reading application or plain stupidity in the RFID reading software part I can not see any way for a RFID to get the host reading PC to execute the code inside it.

Not pure FUD, just facts. (5, Insightful)

Vo0k (760020) | more than 8 years ago | (#14923870)

Except these dimwits DO treat RFIDs as trustable.
Not 'evil', just dumb. RFID reader is an insecure input device like any other, and you don't even need physical access to use it. But it seems nobody thought of preparing a barcode that could crash the cash register, recording a magnetic card that would infect the security system, etc. Some devices are thought to be too simple to mean danger - wrongly. I remember some old Atari games that would crash or misbehave if you'd open the joystick and pressed "left" and "right" simultaneously. I burnt electronics of a RC toy car by telling it to go forward and back at the same time. Got a motorbike to run backward by starting the engine by pushing it backwards. Managed to crash my cell phone by buffer overflow at battery load level sensor (it WAS a software failure!) Got a CD tray to stop halfway by simultaneously pressing the eject key and sending eject commands from the computer.

A toggle switch can be ballanced in the middle position. A pushbutton can be softly pressed make a spark-gap. Unconnected lines can be shorted. Even a single-bit input device cannot be trusted.

Re:Not pure FUD, just facts. (2, Funny)

PatTheGreat (956344) | more than 8 years ago | (#14925016)

Do you specialize in creatively breaking things?

bot-nets? (0)

Anonymous Coward | more than 8 years ago | (#14923598)

I imagine in the future rfid-kiddies will have bot-nets of them causing large scale DDOS attacks on our wallets =)

overhype (4, Insightful)

tomstdenis (446163) | more than 8 years ago | (#14923609)

It has nothing to do with the "evilness of RFID" and with the stupidity of the backend. An RFID tag is just a string of text. It's up to the backend application to sort it out.

This really is no different than replacing the barcodes on packages.

Tom

Re:overhype (1)

Roy van Rijn (919696) | more than 8 years ago | (#14923721)

Agreed... if some idiot wants to make the barcode-reader-backend execute sql code, then I can write a barcode virus too.

If they would just 'read' the RFID tag instead of putting code on it.. the only real problem they face is that the information could overflow. But that isn't so hard to counter.

Re:overhype (2)

tomstdenis (446163) | more than 8 years ago | (#14923891)

Exactly. this has nothing to do with a "virus" [ooo spooky!] in the RFID tag. It's no different than SQL injection attacks on the web or user interface bugs in video games.

Design crap software, expect user stimulus to break it.

This is only "news" because it has RFID in it and everyone loves to beat up on what they don't understand.

Tom

Re:overhype (1)

noidentity (188756) | more than 8 years ago | (#14924294)

"It has nothing to do with the "evilness of RFID" and with the stupidity of the backend. An RFID tag is just a string of text. It's up to the backend application to sort it out."

Someone could write really bad barcode reader software with the same vulnerability, or they could even (I know, I'm stretching things here) write software that overflowed based on how much a user typed into the keyboard. Somehow "if length > maximum" is too much to ask for.

Problem for Schrödinger (3, Funny)

Bromskloss (750445) | more than 8 years ago | (#14923635)

When he opens his box and finds that the poison is not let out, but the cat is still not alive (um, probably "dead anyway", to avoid unnecessary confusion in this matter (i.e., it won't suddenly "quantum wake up")) after having catched a RFID virus.

Minix (1)

richieb (3277) | more than 8 years ago | (#14923705)

Did anyone notice that the author of the article (John Markoff) refers to Minix as "heart of Linux"? Markoff has been writing on technology for NYT for umpteen years and I'm suprised he'd write something like that!

Hmmm... on the other hand he is the one who first wrote about that dangerous hacker Kevin Mitnick...

Re:Minix (1)

slashdotmsiriv (922939) | more than 8 years ago | (#14923926)

Duh, he is "part of a Tannenbaum research group in Amsterdam". He would write anything to please his Master...

Re:Minix (1)

REBloomfield (550182) | more than 8 years ago | (#14924741)

Author of what article? Markoff isn't invloved in anything in the submission?

Duh, but really: DUH! (1)

Opportunist (166417) | more than 8 years ago | (#14923714)

An SQL injection. Fine. OF COURSE it works if the backend application is written by some coder who has heard a few things 'bout SQL but has no idea of injections.

It's the backend that's the risk. Not the RFID tag.

multiple security systems (2, Insightful)

peter303 (12292) | more than 8 years ago | (#14923736)

By itself RFID could be insecure. But you could retain its simplicity and its advantages (extends reading to a couple meters; longer number ID) with a second layer of security.
For example at one urban college library they put the cardholders' face immediately on the screen. The cardholder could have a fake ID or borrowed a friends, but its much harder to fake a face image. And a image is much easier for the guard to process than some descriptive text. Likewise the RFID code reader could flash an image of the product to the cashier or warehouse clerk as secondary identification.

Re:multiple security systems (1)

maxwell demon (590494) | more than 8 years ago | (#14924498)

Of course this helps with switched RFID tags between products (i.e. if someone tries e.g. to buy a TV for the price of a box of potato chips). However, if the goal is to attack the system, by the time the cashier sees the image (or rather, doesn't see it) it is already too late: The attack already happened.

Free... (1)

Smauler (915644) | more than 8 years ago | (#14923819)

Someone has to write a virus to completely screw up a crappily implemented system. Therefore, finally we may be able to attain the holy grail : free (as in beer) beer!

RFID Viruses? Excellent! (3, Funny)

Eli Gottlieb (917758) | more than 8 years ago | (#14923824)

Good to know that the Mark of the Beast will be an insecure Mark indeed! Hell, I might even be able to hack it into a meer Mark of the Small Furry Critter.

You almost have to be an insider FIRST (3, Interesting)

Goldenhawk (242867) | more than 8 years ago | (#14923871)

A lot of good comments have already been made here, but I'm surprised nobody has commented yet on something that seems obvious: if you're going to hack into a system, you have to know a little bit about the system first. You can't simply design some buffer overflow exploit and trust it will "hack" the back-end system. That seems awful "Independence Day"-ish - you know, writing a virus here on Earth that somehow magically attacks and shuts down an alien computer system. Makes for exciting movies (if you're not minimally smart about computers) but it never works in the real world.

In this case, it seems to me that if you know enough about both ends of the process, sure, you can develop some method to penetrate the system. Most malware authors have the benefit of working on a very well-known platform - the Windows PC - with known software (one of the limited numbers of email or browser programs). But attacking a back-end system like this is a much more dicey proposition - each large corporation probably will have its own back end, and may be running any of a dozen OS-and-database combinations.

So to benefit from this attack, it seems to me that the author has to be an insider to stand a ghost of a chance of success. If he's an insider, there are MUCH easier ways to penetrate the system.

As a result, while I have great concerns about RFID, this strikes me as FUD.
1) Develop complicated, application-specific RFID attack that would never be real-world useful
2) Write research paper spreading more fear about RFID
3) PROFIT! (or at least get a lot of attention)

Re:You almost have to be an insider FIRST (2, Insightful)

maxwell demon (590494) | more than 8 years ago | (#14924630)

Scenario: Someone working at the IT department of a shop (thus having inside knowledge of the system) gets fired and wants to harm the shop. The shop will make damn sure that he will not have access to the system afterwards (and let's assume that network access is well protected, too). However, he may well be able to smuggle a malicious RFID tag into the shop. There it lies, unnoticed, until a few days later some unsuspecting customer buys the item thus tagged. As soon as the tag is read by the scanner, the attack happened.

Re:You almost have to be an insider FIRST (3, Insightful)

rk (6314) | more than 8 years ago | (#14924902)

"A lot of good comments have already been made here, but I'm surprised nobody has commented yet on something that seems obvious: if you're going to hack into a system, you have to know a little bit about the system first."

You're 100% right, but there will emerge from 1 to 3 dominant vendors of backend RFID systems, and they will be deployed in many places, many people will have knowledge of these systems, and help to learn about their underlying architecture will likely be found right on the vendor's website, or only a couple Google searches away. Like every other system out there, there will be a few weird custom jobs, but most of it will be off-the-shelf software that thousands of organizations use.

Today's theoretical often winds up being tomorrow's practical.

RFID Software vulnerabilities (2, Interesting)

Philodoxx (867034) | more than 8 years ago | (#14923929)

The problem I have with the idea of an RFID virus is that most RFID middleware is based on either .NET or Java. I'm not saying it's impossible but the prospect to propagating a virus by RFID tag becomes a whole lot harder if they have to put MSIL or Java bytecode on the tag. I've developed a few RFID applications and all of the incoming RFID data are numbers (e.g. id: 12345) and I just look that information up in a database. It's not like I'm storing "SELECT * FROM table WHERE id = 12345" on the tag and then executing it blindly.

Re:RFID Software vulnerabilities (1)

Mirage (9375) | more than 8 years ago | (#14924458)

I'm not sure you understand an SQL injection attack. In your example, your query would be something like "SELECT * FROM table WHERE id = " + tagID. If the valid RFID tag gives you "12345", all is well. If the altered RFID tag gives you "12345 or 1 = 1", well, you've got a problem. If your tagID is a numeric or you check the data you receive from the tag, you'll be fine, but if you just take in the data as a string or byte array, you're susceptible to this attack. Obviously my example doesn't fall into the virus category, but it gives you an example of how the attack works.

Re:RFID Software vulnerabilities (4, Informative)

Philodoxx (867034) | more than 8 years ago | (#14925130)

I'm not sure you understand how RFID tags work. There are a variety of standards on how RFID tags are encoded, all of which break down into partitioning the tag's data into segments to form the unique identifier

For the sake of argument I'll use EPC SGTIN96. In the SGTIN tag has four partitions: Filter, Company Prefix, Item Reference, and Serial Number. Each of these fields is of varying size depending on how big tag is. Typically RFID tags are 96 bits (although some tags can get up to 1Kbit), even using 7 bit ascii there's not a whole lot you can fit in 96 bits. When I poll the reader, or the middleware I'm getting back a number, e.g. 12345 and it's my responsibility to parse through that number to get the fields I'm interested in. In this scenario I would have to be doing some *very* sloppy programming to open myself to an SQL injection attack (something along the lines of treating known numeric data as a string).

ISO and EPC Gen 2 tags do support custom data, which I suppose could be used to store strings but since it is severely space constrained (typically in the range of 2-32 bytes) I question the viability of such an attack. Not to mention that the field will likely be used to writing in ids instead of human readable data. Finally, it is common to encrypt the custom payload on an rfid tag. So even if somebody were to change it to "AND 1 = 1" it would be caught when the program tries to decrypt the tag.

Solution is easy... (0)

Anonymous Coward | more than 8 years ago | (#14923983)

Simply disinfect the offending device with a RFID zapper [events.ccc.de] . Oh, wait...

This paper is retarded (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#14924338)

The authors assume that the tag contents are dropped directly into an SQL query or executed directly as code. Of course that's a virus vector.The same thing can be said if your web site search form did no text validation.

It would even work for an optical barcode system. One barcode corrupts the database, and any future barcodes that are printed out have the virus printed in them.

Tanenbaum not Tannenbaum (1)

Multichill (805463) | more than 8 years ago | (#14924522)

Andrew S. Tanenbaum to be exact.

Ludicrously dumb (0)

Anonymous Coward | more than 8 years ago | (#14924849)

This has to be one of the most ridiculous pieces of headline-grabbing misinformation I've ever seen - their 'scenarios' are so contrived as to be completely laughable. Unfortunately this is just the sort of junk that the avarage idiot jounalist latches onto to further spread misinformation and nonsense.
You could write similar 'scenarios' with barcodes, but nobody would notice, just becasue some ignorant people seem to theing RFID is some kind of magic, they will probably believe this and the industry will likely suffer damage as a result.

Article is crap (1)

RagingChipmunk (646664) | more than 8 years ago | (#14925079)

The article is crap. More clueless acedmia. Hello - did anyone at this prestigous institute actually TRY to write a virus for the RFID tag? The article implies they might have. But, frankly, i doubt it - as an RFID tag has about 256 bytes of capacity. Wow, what horrible evil virus could be unleashed in 256 bytes.

Fouling up sloppy backend SQL code is one thing. Implying that my infected cat will slow to a crawl, barf up pr0n-storm hairballs and begin all night cries of "Viagra! Cialis!" because of its RFID tag is just rediculous.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...