Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Virus Jumps to RFID

Hemos posted more than 7 years ago

109

MrShaggy writes "According to a BBC article, researchers have been able to make the jump between RFID tags and viruses. They found that the mere act of scanning a mere 127 bytes could cause an attack vector that would corrupt databases. From the article;'"This is intended as a wake-up call," said Andrew Tanenbaum, one of the researchers in the computer science department at Amsterdam's Free University that did the work revealing the weaknesses on smart tags. "We ask the RFID industry to design systems that are secure," he said.'"

cancel ×

109 comments

FUD? (5, Insightful)

LiquidCoooled (634315) | more than 7 years ago | (#15731639)

Hang on a minute, in this case the tag is not the problem.
It is the software running on the host machine which does not validate the data coming from the tag that has major issues.

If I can corrupt a database by entering an invalid lookup code then theres something severely fucked up.
My bet is its something like the sql injection attacks we see on the web, and you don't see people blaming the input box in those cases.

quote from the article:

In some cases, said the researchers, viruses could be spread by household pets such as cats and dogs that are injected with the tags to help identify their owner.

The pets aren't going to be spreading this "virus" themselves its not sexually transmitted, it cannot be passed by rubbing up against your leg. It will be the vets computer which gets infected because of crappy validation.

MEOOOOOOOOEEEEEEEEOOOOOOOOOOOWWWWWWWWWWWWW!

Charlie says: always validate your external inputs before doing any data processing.

Smart tags, dumb research.

(and thats coming from someone who doesn't like RFID)

Re:FUD? (4, Insightful)

andrewman327 (635952) | more than 7 years ago | (#15731688)

I could not agree more. I fail to see how (in this case) RFID tags are any more dangerous than barcodes. This should be a wakeup call to developers to remember to include basic validation and error catching into their programs. Just because it is new and flashy, some people think it is a panacea that has no problems. I have learned always to write code remembering Murphy's Law because in computer science, everything does go wrong at one point or another. This story should not make people stop using tags, but it is always worth asking your vendor about security, especially if you are implementing an RFID system.

Re:FUD? (3, Interesting)

StarvingSE (875139) | more than 7 years ago | (#15731839)

This is very different from barcodes. A barcode has to be manually scanned, so you know when a system is reading the information and you can do (probably minimal) research into whether the software reading the barcode is secure enough to handle your personal data.

The trouble with RFID is that anyone scanning can pick up your tag without you knowing about it. This includes secure and non-secure software. If 99% of software reading these tags are secure, there is still that 1% that isn't and you wouldn't know that it picked up your personal info until you get the bogus credit card bills in the mail.

Re:FUD? (3, Informative)

DrSkwid (118965) | more than 7 years ago | (#15731876)

You have totally missed the point.

I walk up to the reader with a crafted RFID and infect the database.

This is "I can to read ANYONE's card" not "anyone can read MY card".

Bit obvious really : "don't trust random stranger's data" - Film at 11

Re:FUD? (1)

jackbird (721605) | more than 7 years ago | (#15732035)

Yes, affixing a sticker with a malicious barcode over a legitimate one, then trying to make a purchase would be impossible. Not to mention a discount club key tag, which could be altered by the attacker at leisure.

Re:FUD? (0)

Anonymous Coward | more than 7 years ago | (#15732860)

Not to mention a discount club key tag, which could be altered by the attacker at leisure.

It may have slipped your ADD-shortened attention-span that the informations on the RFID-tag is encrypted, so, umm, no. Thanks for trying, though; not everyone can know this tech-stuff. Fucking moron.

Re:FUD? (0)

Anonymous Coward | more than 7 years ago | (#15733681)

Oh, well then it's it perfectly safe then, yanno, seeing how noones encryption scheme has ever been broken.

Re:FUD? (1)

sshutt (785646) | more than 7 years ago | (#15731864)

I agree it sounds like they've just missed off the validation stuff, and any programmer knows that an external input that they dont control could potentially be malformed and should be checked.

but forgive my ignorance but would an rfid tag actually contain enough information to do more than break a database? I'm still trying to figure out how it corrupts the database.

I'm guessing you can ger rfid readers that are also writers tag a infects reader, reader infects tag b, and so on, it could potentially become quiet widespread, but then I've already admitted ignorance so thats probably impossable right?

Re:FUD? (5, Informative)

LiquidCoooled (634315) | more than 7 years ago | (#15731926)

If the tag data is expected to be an alphanumeric code to represent the customer: Slashdot_LiquidCoooled_634315

this can be used (incorrectly) to produce a raw piece of SQL:

select * from Customers where Code='Slashdot_LiquidCoooled_634315'

if that code contains quotes and they are not being handled correctly then it is certainly possible to corrupt the database.

Suppose my RFID was programmed with something like this and it was not being validated correctly:

'; Drop table [customers];

The resulting SQL could end up something like:

select * from Customers where Code=''; Drop table [customers];'

bye bye customers table (if permissions set at defaults and the wind is blowing your way)

Re:FUD? (1)

sshutt (785646) | more than 7 years ago | (#15732057)

cheers, I've always had difficulty getting my head round that kind of flaw.

Re:FUD? (1)

espressojim (224775) | more than 7 years ago | (#15732868)

Who even writes SQL these days directly?

In java (and hey, could be similar with RoR, etc), you write your web tier stuff to a middleware layer. There, we use Hibernate and HQL. That sort of crap 'just wouldn't parse' in HQL or criterion queries, as it would not be a valid parameter for "?".

Heck, even writing SQL, why aren't you writing parameterized prepared statements? Doesn't that also make you immune to this sort of crap?

"Select * from customers where Code = ?"
setParam(1, myCraptasticUntextedVariable); // do this in your language of choice.

Or, am I missing something neat here? I like learning even more than being right...:)

Re:FUD? (1)

h4ck7h3p14n37 (926070) | more than 7 years ago | (#15732947)

Sadly you're right, many developers would make a direct call to the database with the invalid data versus calling an API function that hides the underlying implementation and does proper validation/error handling. Blame poor design, ignorant developers, etc. but not the data.

Lets introduce the RFID devs to error handling... (1)

tubapro12 (896596) | more than 7 years ago | (#15732677)

I'm a software developer and I couldn't agree with you and grandparent (and probably 99% of the other people who reply) any more. If I wrote a program with such a fault (which I wouldn't) I most definitely wouldn't be calling it a virus. Something like this no different than a program crashes when it gets unexpected input etc.

Totally agree (-1, Flamebait)

mustafap (452510) | more than 7 years ago | (#15731727)

This just sounds like typical academic marketing fluff. "Look, I'm doing important stuff! Not just Minix3!!"

Tanenbaum is a puff ball.

Like the JPEG "virus" (4, Interesting)

kherr (602366) | more than 7 years ago | (#15731738)

It is the software running on the host machine which does not validate the data coming from the tag that has major issues.

Absolutely. This is just like the Windows JPEG "virus" that was due to buggy JPEG parsing. Describing RFIDs as an attack vector is appropriate, but inert data can not be a virus. You typically don't execute images or identification information. Perhaps there needs to be some catchy name for this type of attack, but really it's just a new example of the common overflow bug.

Re:Like the JPEG "virus" (3, Insightful)

morgan_greywolf (835522) | more than 7 years ago | (#15732021)

Perhaps there needs to be some catchy name for this type of attack, but really it's just a new example of the common overflow bug.


How's about "programmer dumbass attack"? Seems quite apt, to me. Any programmer worth his salt knows that he has to check for invalid data, yet so many software developers (both open source and closed source) let code go to production levels that fails to perform even the most basic of validations.

Maybe we need to send a bunch of programmers back to basic training! "Security boot camp"! Only let's make it real tough: make them all write basic currency conversion programs and for every piece of invalid data that makes it through without being validated, that program's author loses a finger! That'll teach 'em! :-P

Re:Like the JPEG "virus" (5, Insightful)

Anonymous Coward | more than 7 years ago | (#15732460)

Absolutely. This is just like the Windows JPEG "virus" that was due to buggy JPEG parsing. Describing RFIDs as an attack vector is appropriate, but inert data can not be a virus.

Inert data can certainly be a virus: that's especially true in biology, where the entire virus metaphor arose in the first place. After all, virus is an piece of inert genetic data. When in contact with a live host, it alters the behaviour of the host; but without a host system to carry it, viruses are inert. Some people like to characterize them as the boundry case between "living" and "non-living": they're an inert substance that alter living beings in a self-replicating way to make more of themselves; in that sense, they "reproduce", despite not being "alive".[1]

As for your original point, you're right that it's probably not correct to call RFID tag exploits "viruses": but not because viruses are inert. It's because the RFID virus is not being copied on by the host system it contacts; although, it sounds like it should be possible to craft a virus that does, assuming you could infect the RFID code writing software.

--
AC
[1] People debate terms like "alive", "dead", "reproduce" for hours on end, until they realize they're arguing over definitions, which by definition is pointless....

Re:Like the JPEG "virus" (0)

Anonymous Coward | more than 7 years ago | (#15732870)

How about calling such an attack poison?

Stay healthy: never consume poisoned data.

Re:Like the JPEG "virus" (3, Insightful)

RovingSlug (26517) | more than 7 years ago | (#15732980)

Perhaps there needs to be some catchy name for this type of attack

How about "poison" instead of "virus", since its presence may cause illness or death but does not self replicate. As in "attackers injected poison RFID tags into system, which is now inoperable until repairs are made."

Re:Like the JPEG "virus" (1)

GeorgeFitch3 (988277) | more than 7 years ago | (#15734110)

Perhaps there needs to be some catchy name for this type of attack...
RFID injection attack?

Re:FUD? (3, Insightful)

Technomonics (970384) | more than 7 years ago | (#15731755)

Yes, definately FUD. This article is almost ridiculous in its basis in fact. If the RFID is akin to a barcode or serial number, then where in the barcode is executable code? If I were the maker of a RFID reader, I would make damn sure that I would check it throughly for being an appropriately-formed serial number. Then, the worst thign that happens is that the RFID serial number is rejected due to not being found in the database. Have the dvelopers gotten so lazy and dumb that bounds checking becomes a lost art? This article is merely sensationalizing a non-issue. Currently, I dont have any equipment in my house that scans RFID's and, even if I did, I wouldn't expect Tabby to be blowing up my PC sometime soon.

Re:FUD? (4, Insightful)

Z0mb1eman (629653) | more than 7 years ago | (#15731785)

I agree that was my first (knee-jerk?) reaction after reading the somewhat FUD-ish summary. However:

"We ask the RFID industry to design systems that are secure"

If the "RFID industry" creates the reader software as well, and if the vulnerability is in that reader software (which is what it sounds like), then the criticism is perfectly valid.

FTA:

""Everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software and certainly not in a malicious way. Unfortunately, they are wrong," wrote the trio in their research paper."

and

"The researchers urged companies working on RFID systems to start thinking seriously about security measures to protect against future threats."

No one's really saying the tags are inherently insecure, any more than they might say that a floppy disk or a CD are insecure. If the reader software currently has many vulnerabilities, no matter how obvious it might seem in hindsight, this seems like valuable research to me.

Re:FUD? (2, Insightful)

bit01 (644603) | more than 7 years ago | (#15733912)

If the reader software currently has many vulnerabilities, no matter how obvious it might seem in hindsight, this seems like valuable research to me.

No hindsight required. Any programmer not validating input, particularly from an untrusted source, is simply incompetent.

This isn't "research" as such, merely exposure of incompetents.

The fact that RFID is the vector is irrelevant. Though if the programmers and testers were this incompetent with something as simple as RFID data I hate to think how badly they'd mess up something "complicated", like configuring basic database security, or actually complicated, like software security that can deal with malicious staff.

---

Don't be a programmer-bureaucrat; someone who substitutes marketing buzzwords and software bloat for verifiable improvements.

Re:FUD? (0)

Anonymous Coward | more than 7 years ago | (#15731801)

I guess the same theory applies to barcodes and marker pens then.

Re:FUD? (1)

rowama (907743) | more than 7 years ago | (#15731857)

Smart tags, dumb research.

Impossible. Andrew Tannenbaum did the research:)

Re:FUD? (2, Insightful)

plague3106 (71849) | more than 7 years ago | (#15731922)

If I can corrupt a database by entering an invalid lookup code then theres something severely fucked up.

Who said the lookup code had to be invalid? Simply broadcasting a valid signal for a product would be sufficent to corrupt the database. You can trick inventory systems into thinking they have 500,000 razor blades, when they only have 100,000.

Is it data, or is it code? (2, Insightful)

davidwr (791652) | more than 7 years ago | (#15731941)

If you merely store and read data - ANY DATA - and do not interpret it, it cannot carry a virus.

The minute you start interpreting data you have to treat it as potentially hostile. This goes for computers AND people. There's not much difference between a "hostile" data-set that the attacker knows will be interpreted as SQL code that he can use to corrupt an automated-supply-ordering system, a hostile data set that the attacker knows will be interpreted as a false we-are-low-on-inventory-order-more or we-have-enough-inventory-don't-order-more tag by a an automated-ordering system, and a hostile data set that the attacker knows will cause a human being to falsely think inventory is low or high and act accordingly.

BTW, the latter is easy enough to do: replace RFID tags that say "quantity 1 unit" with "quantity 1 pallet of 200 units" or vice-versa and hope no input-validating-computer or -person notices.

To borrow a phrase, "Garbage in, garbage out."

Re:Is it data, or is it code? (1)

UncleFluffy (164860) | more than 7 years ago | (#15732843)

If you merely store and read data - ANY DATA - and do not interpret it, it cannot carry a virus.

Storing is enough to enable a buffer overflow, which is enough to make the payload active

Re:FUD? - no fud (0)

Anonymous Coward | more than 7 years ago | (#15731983)

The makers of these systems design, advertise and sell these products as a complete solution.

When they are talking about RFID they are not talking about the chip itself, but the whole system: tags, readers, back end software complete.

I admit that the issue is not with the tag, but it is with the solution that is called RFID.

vajk

Re:FUD? (1)

Intron (870560) | more than 7 years ago | (#15732026)

I don't think you need anything as complicated as SQL on the tag.
RFID tag
--------
Item: Stay-puf marshmallows
Qty: -2000000
Price: $1.99

...processing...
Added -3980000 to total
Subtracted $-3980000.00 from your debit card.
Your new balance: $3980427.54

Good thing this was not in the US (2, Insightful)

gasmonso (929871) | more than 7 years ago | (#15731661)

They could have been sued for violation of the DMCA. We don't want any weaknesses exposed by researchers in the early stages... we'd rather have them exposed maliciously after its too late!

http://religiousfreaks.com/ [religiousfreaks.com]

Re:Good thing this was not in the US (2, Interesting)

andrewman327 (635952) | more than 7 years ago | (#15731741)

What does hat color have to do with how evil someone is? Lock them up for their hacking ways! [/sarcasm]


While I doubt that anyone would have been charged for this in the USA, I agree that the DMCA hampers some meaningful research. To be fair, however, all this project did was prove something that most of us could have figured out on our own: GIGO!

Research shows... (0)

Anonymous Coward | more than 7 years ago | (#15731678)

that if you blindly accept user input without any sanity checking, bad things mad happen.

Mmmmm (0)

Anonymous Coward | more than 7 years ago | (#15731679)

They found that the mere act of scanning a mere 127 bytes ...

That's merely amazing!

Correction on the University name (3, Informative)

MartijnL (785261) | more than 7 years ago | (#15731699)

The University is called the "Vrije Universiteit" or VU for short ( http://www.english.vu.nl/home/index.cfm/ [english.vu.nl] ). Which is not "Free as in Beer". It also didn't stand for Free as in: open for everyone. That didn't come along until the 1960's.

Re:Correction on the University name (1)

clacke (214199) | more than 7 years ago | (#15732595)

You mean, exactly as in English? How does this make "vrije" not mean "free"? Only on /. would someone automatically assume this has something to do with one particular meaning of the word.

The university policy seems to be not to translate the name, so the newspaper should have followed that, but the translation certainly is correct. Many organisations (including universities) translate their names in an international context and some of the personal homepages on the VU translate the name, so I wouldn't be too hard on the BBC for this slight transgression.

Of course, the only thing sillier than a nit-picker is its jealous cousin, me.

Re:Correction on the University name (1)

ReinoutS (1919) | more than 7 years ago | (#15732699)

So you forgot to explain what it did stand for: free from State or Church influence. Obligatory wikipedia link. [wikipedia.org]

Free University Compiler Kit (VUCK) (1)

SimHacker (180785) | more than 7 years ago | (#15735167)

The Amsterdam Compiler Kit was originally known as the Free University Compiler Kit (or VUCK, since V stands for Free in Dutch). RMS wrote: [gnu.org]

I would say that since the time about two and a half years ago when I actually started working on GNU, I've done more than half of the work. When I was getting ready to start working on the project, I first started looking around for what I could find already available free. I found out about an interesting portable compiler system which was called ``the free university compiler kit'', and I thought, with a name like that, perhaps I could have it. So, I sent a message to the person who had developed it asking if he would give it to the GNU project, and he said ``No, the university might be free, but the software they develop isn't'', but he then said that he wanted to have a UNIX compatible system too, and he wanted to write a sort of kernel for it, so why didn't I then write the utilities, and they could both be distributed with his proprietary compiler, to encourage people to buy that compiler. And I thought that this was despicable and so I told him that my first project would be a compiler.

...The rest is history...

-Don

Bad news (-1)

voice_of_all_reason (926702) | more than 7 years ago | (#15731721)

It's a good thing most of the first world is working on getting RFID part of a de facto national ID. Nothing bad could possibly happen.

British policeman 1: Look lively, bloke. Me magic box says that 80-year old wheelchair-bound Inuit woman is really a terrorist!
British policeman 2: (cocking pistol) Seven shots to' the back 'o the head. Like usual, eh?

Re:Bad news (0)

Anonymous Coward | more than 7 years ago | (#15732047)

They don't carry firearms

Makes me kind of glad (2, Interesting)

mcguiver (898268) | more than 7 years ago | (#15731724)

I am glad that the viruses have started coming out for RFID devices before they started implanting them in my head. But it doesn't suprise me that people were able to find a way to create a virus for them. Hopefully it will cause those who are thinking about using RFID in everything (implanting in people, using as gun safety devices etc...)to reconsider before doing a wide distribution.

I, for one, would rather not have electronics malfunctioning in my body. Sometimes I have a hard enough time just keeping my body functioning. Who knows, before too long we may need to staff doctors and engineers in hospitals.

Re:Makes me kind of glad (0)

kasgoku (988652) | more than 7 years ago | (#15731874)

lol... so true. yea seriously, the government is making it seem like it is a heavenly thing, can't be hacked or affected by any virus. But actually it is not different from any portable electronic device that uses radio waves or whatever. But then again, everything is vulnerable and we have to take risks in everything. govt. should do extensive research before implementing it openly. good point.

Re:Makes me kind of glad (1, Insightful)

Anonymous Coward | more than 7 years ago | (#15733611)

The tag in your head wouldn't be the problem. All the tag in your head does is say, "I AM HERE" when exposed to a magnetic field-- it does not receive anything. It's not even a virus in the classical, computer science sense -- more like fitting a square peg in a round hole. You might be able to do it, but you'll probably break the hole doing so. That's not the fault of the peg (the RFID chip), but rather the person (the software) not recognizing what is garbage data. Thus, if a malicious person knows a particular SCANNING device is susceptible to bad input errors, they could write an RFID tag to screw up that machine.

The problem is in the software which hears the message broadcast by the chip. The software could be poorly coded so that the device READING your chip can crash if it doesn't understand the message your chip is broadcasting.

So directly speaking, you wouldn't keel over and die from an RFID "virus". However, you would probably want to stay away from an RFID scanning robot that could tear your head off thinking it's a package to put on the conveyor belt.

Erm (4, Informative)

LordPhantom (763327) | more than 7 years ago | (#15731762)

2 words - Input Validation

This article can be summed up in the following sentance:

OH NO! Anyone can put ANYTHING on a tag that might be read by database software! Horrors!

C'mon people, this is basic data security 101 - never trust inputs without validation. This isn't a problem with insecure tags, it's a problem with import software/database code.

Re:Erm (1)

plague3106 (71849) | more than 7 years ago | (#15731952)

Fine, how does the computer know if you're getting a shipment of razors, or if its just some guy broadcasting the signal from his laptop?

Re:Erm (1)

LordPhantom (763327) | more than 7 years ago | (#15732030)

2 Seperate things here.
#1 - "Virus" implies code that can be executed to create a security breach.
#2 - Incorrect Data (what you're talking about). There are ways around this problem, but the article is talking about using the very small amount of data that can be stored on RFID chips as a vector for attack on the software/database it is stored in, and the above comment applies to this.

Re:Erm (0)

Anonymous Coward | more than 7 years ago | (#15732106)

What the hell is a 'sentance'? Back to school for you! [reference.com]

Re:Erm (0)

Anonymous Coward | more than 7 years ago | (#15734947)

What the hell is a 'sentance'? Back to school for you!

What the hell is a typo nazi? Back to "I'm too fucking stupid to make a real contribution, so I'll look for typos and grammar errors instead, thinking that makes me look smart" school with you. Fucking dick diddler.

Stupidity can open the door for malice (1)

DragonHawk (21256) | more than 7 years ago | (#15733258)

"this is basic data security 101 - never trust inputs without validation"

Of course, one problem is that it looks like most programmers never took Data Security 101.

This isn't a problem with RFID tags, per se, of course. But it does bring up an interesting point: Even if some [walmart.com] big [homedepot.com] company [staples.com] intends to be completely nice about their RFID tag usage (and that is far from a given), some bad guy might be able to subvert the system to do bad things. The more data big companies have on you, the worse those bad things might be.

This is all pure speculation, of course, but history is full of examples where good ideas backfired when abused.

#ERROR (3, Informative)

Doomedsnowball (921841) | more than 7 years ago | (#15731766)

I can see premade RFID tags containing SQL code being sold on eBay. Lower your grocery store prices, evade background checks, travel anonymously, use VIP entrances, ignore 'Authorized Personnel' signs! This is total FUD. The database equivalent of believing everything you hear. If there is no authenticating, then it's no surprise that there could be malicious hacking. The real story is that if it is possible to have a single binary check system, someone could change their Zero value to a One to defeat it.
Noooooooooooooooooo!!!

Re:#ERROR (1)

mevryck (931270) | more than 7 years ago | (#15733815)

RFID technology has got a lot of lurking dangers... RFID tags enable unethical individuals to snoop on people and surreptitiously collect data on them without their approval or even knowledge. Lacking their own power source, the chips are also susceptible to so-called power-consumption hacks. RFID tags can be breached to cause a denial-of-service attack on the tags, using cheap store-bought radio transmitters. RFID tags not only carries the danger of privacy violations, but also of new vectors for computer viruses. RFID tag can be used to send a SQL injection attack or a buffer overflow.

Re:#ERROR (1)

dorkygeek (898295) | more than 7 years ago | (#15734765)

RFID tags not only carries the danger of privacy violations, but also of new vectors for computer viruses. RFID tag can be used to send a SQL injection attack or a buffer overflow.

Wooo, the horrors! And so can Slashdot, an image, a DVD or the email your mother just sent to you. If a programmer does not do input validation or leaves its code open to buffer overruns, everything can be the carrier of a virus. There is no particular danger coming from RFID, only from dumb developers of reader software.

read only (3, Informative)

Lord Ender (156273) | more than 7 years ago | (#15731804)

So a specially-crafted RFID tag could cause code to execute on a vulnerable RFID reader. That's not a virus. But if this code causes the RFID reader to begin writing copies of the bad data to tags, then we have a virus.

But read-only RFID tags and RFID readers are much cheaper than the writable kind, so this is not very practical. And RFID tags typically can't hold bit strings which are long enough to contain useful software. So, again, this is a bit silly.

useful software in small packages (1)

davidwr (791652) | more than 7 years ago | (#15732092)

It's not applicable to the RFID scenario, but some on some systems, very dangerous software can be packed in a very small amount of space.

Imagine a machine that had the following library routines:
Routine #1: Alert user to input a blank CD and copy x bytes of data from Y location, perhaps a location on the internet, to the CD
Routine #2: Erase the hard disk
Routine #3: Reboot the system from the CD

With only 3 function calls - probably well under 127 bytes of code, I can cause the machine to reboot and load the arbitrary data I just wrote to the CD.

A more real-world example is a bootloader: The first stage of a bootloader is a very useful, some would say essential, program, and it typically runs in 512 bytes.

Re:read only (2, Informative)

Peter Mork (951443) | more than 7 years ago | (#15732632)

"So a specially-crafted RFID tag could cause code to execute on a vulnerable RFID reader. That's not a virus. But if this code causes the RFID reader to begin writing copies of the bad data to tags, then we have a virus."

The real article [rfidvirus.org] (not the lame BBC article) describes how to construct a self-replicating virus that copies itself to RFID tags as they are written. They also describe how to create RFID worms. The attack vectors are basically SQL injection, cross-site scripting, and buffer overflows.

I've certainly got no problem... (0)

Anonymous Coward | more than 7 years ago | (#15731809)

when something breaks that was,like DRM, invented by Hitler.

Hillarious (0)

Anonymous Coward | more than 7 years ago | (#15731824)

From the article:

In some cases, said the researchers, viruses could be spread by household pets such as cats and dogs that are injected with the tags to help identify their owner.

Whats are those key words for out at a glance viewers:
Virus? Spread? Owner? Pet?

Someone has forgot what they are talking about while trying to spread FUD with the pet angle.

Re:Hillarious (1)

El Torico (732160) | more than 7 years ago | (#15732051)

In some cases, said the researchers, viruses could be spread by household pets such as cats and dogs that are injected with the tags to help identify their owner.

This may explain why I keep finding Petsmart price lists and my Phidgets RFID Kit next to the cat food bowl.

oh no!! (3, Funny)

preppypoof (943414) | more than 7 years ago | (#15731838)

They found that the mere act of scanning a mere 127 bytes could cause an attack vector that would corrupt databases.
looks like their grammar databases have already been corrupted...

Re:oh no!! (1)

robertjw (728654) | more than 7 years ago | (#15731884)

Fortunately the grammer NAZI databases are still intact.

I'm sorry Uncle Kent; I lost my thesaurus (3, Funny)

spun (1352) | more than 7 years ago | (#15731939)

Brockman: Big game fever is reaching a fever pitch as the
                fevered rivalry between Springfield U. and
                Springfield A&M spreads like wildfever. [looks
                offstage] This is writing?
Intern: I'm sorry Uncle Kent; I lost my thesaurus.

What about other forms of external data? (3, Insightful)

JanusFury (452699) | more than 7 years ago | (#15731847)

This is a good example of how people will sometimes trust data that isn't trustworthy at all.

I'd be willing to bet that someone with enough cleverness and free time could come up with a 'credit card virus' that could compromise specific vulnerable payment systems/credit card processing devices when swiped. For all we know, there may already be such exploits out there now. At least in the case of credit card processing, it's financial code so hopefully there are some stringent security processes along with multiple layers of verification, but still - pretty scary to think about.

Re:What about other forms of external data? (1)

Joe The Dragon (967727) | more than 7 years ago | (#15732254)

or some may want to shut down a ETC system to get out of paying tolls

Re:What about other forms of external data? (1)

SatanicPuppy (611928) | more than 7 years ago | (#15733854)

Speaking from experience...Financial code is usually secure only because it is usually too stupid to be fooled. The financial databases where I work wouldn't even notice a sql injection attack; they're not smart enough to process one, even if someone was clever enough to put it through the "validation" process used to homogenize the data.

Making something too stupid to be hacked is an excellent line of defense where this kind of hacking is concerned...You can't trick it into doing something it can't do.

Slash Dot gets another scoop (0)

Anonymous Coward | more than 7 years ago | (#15731909)

Way to keep upto data SlashDot.... this same exact problem was reported like over 6 months ago....

Re:Slash Dot gets another scoop (1)

Architect_sasyr (938685) | more than 7 years ago | (#15733889)

Ok, I know this is off topic...

I am getting sick and tired of the anonymous coward bullshit out there... so a couple of things that I feel need to be said

/. != digg Are you surprised??
/. is headed up by a core team of authors. It isn't the crappy mess of digg, (not flaming), nor is it the structured evil of bbc (flaming). It is headed up and maintained by a couple of people who actually have an interest in other things. Yes that's right, they are interested in other things.

Rather than trolling over /. (and yes I did bite) why don't you submit a story? It saves the bullshit everyone else has to deal with AND you can use your name for prestige and glory amongst your local AOL crew.

Yes I am posting with my real name? Screw these anonymous cowards

oh no! (2, Informative)

joe 155 (937621) | more than 7 years ago | (#15731928)

well these people weren't the first to do this, nor will they be the last. I first read about this on the 15th of March, and the malware itself has been publically available since then... it's all in the register article, here: http://www.theregister.co.uk/2006/03/15/rfid_tags_ infected_by_virus/ [theregister.co.uk]

Re:oh no! - Same story (1)

Multivitavim (957111) | more than 7 years ago | (#15732864)

That's the same news item, aye. Note that the BBC item linked in today's Slashdot story is itself also from 2006-03-15.

Not a RFID problem, more a database flaw (3, Insightful)

Opportunist (166417) | more than 7 years ago | (#15731942)

As much as I distrust RFIDs, and as much as I detest the way they are being used, this is a problem of the backend, not the RFID itself. It's an ancient problem of databases with data injection that has been used for years now, on the internet, to inject data into online databases or to mess with them generally.

It's not really new news either. I think I remember that report from about a year ago when RFIDs in our passports became an issue and Tanenbaum raised those concerns. So is this something new or do the old news get repeated for a lack of anything new?

Must be summer, all the politicians are on holiday...

Old News... (1)

darcling (987237) | more than 7 years ago | (#15731982)

This was reported as "the first RFID virus" (though it was really just a proof of concept) months ago... I read it on Slashdot : P Note the date at the top of the page referenced above: Last Updated: Wednesday, 15 March 2006, 18:02 GMT And the FUD starts all over again : )

Re:Old News... (1)

giafly (926567) | more than 7 years ago | (#15732020)

Please mod parent up! Is your cat infected with a computer virus? [thechilli.com] Is your cat infected with a computer virus? It might be. Many pets, as well as commercial livestock, have been injected with a tiny RFID tag microchip that can identify them if they get lost (pets) or are later found to harbour disease (livestock). Up until now, no one thought these RFID tags could themselves be infected with computer viruses. Now researchers at the Vrije Universiteit in Amsterdam have discovered that computer viruses in animals, supermarket products, airline baggage and other physical objects are a real threat.

A mere 127 bytes? If only they had more (2, Insightful)

davidwr (791652) | more than 7 years ago | (#15731992)

Just imagine what they could do with a mere half a megabyte [slashdot.org] .

Re:A mere 127 bytes? If only they had more (2, Funny)

lxs (131946) | more than 7 years ago | (#15732376)

Just imagine what they could do with a mere half a megabyte.


Considering Andy Tannenbaum is involved, I imagine they would probably port Minix to it.

I already hacked my new RFID passport biometrics (-1, Troll)

Anonymous Coward | more than 7 years ago | (#15731997)

I figure any terrorists that might want to kill Americans would be scared off by my 13 inch penis and the potential for SQL injection.

look out. (1)

RackinFrackin (152232) | more than 7 years ago | (#15732059)

Beware of any tags that contain the string "Execute Order 66"

No expects an RFID tag to send a SQL injection... (3, Interesting)

rickkas7 (983760) | more than 7 years ago | (#15732067)

From the real paper [rfidvirus.org] : "No one currently expects an RFID tag to send a SQL injection attack or a buffer overflow."

I think the point of the research is that many RFID tags are read by closed or theortically isolated systems like inventory control devices and pet identity scanners that probably have not been examined for the kinds of vulnerabilities that we (theoretically) look for Internet accessible servers.

While we have a mediocre system for updating Internet-based applications in the face of vulnerabilties, the prospect of updating piles of non-Internet accessible devices is indeed an issue.

Re:No expects an RFID tag to send a SQL injection. (0)

Anonymous Coward | more than 7 years ago | (#15732648)

Nobody expects the SQL injection attack!

The full article -- it's legit (4, Informative)

davecb (6526) | more than 7 years ago | (#15732091)

There is a PDF and also a complete discussion at http://www.rfidvirus.org/virus.html [rfidvirus.org] , breifly outlining "Replication Using Self-Referential Queries" and "Replication Using Quines".

For example,
Database systems usually offer a way to obtain the currently running queries for system administration purposes. However, these functions return queries as an normal string, which makes it possible to store them in the database, thereby replicating the query.

We have developed two versions of the virus, one that is contained in a single query, and one the requires multiple queries. The virus using a single query requires less features from the database, but cannot carry SQL code as a payload. The virus using multiple queries requires a database that supports this, but it does allow SQL code as a payload.

Details on the virus using self-referential queries can be found athttp://www.rfidvirus.org/exploits/sql_self/index .html

Maybe they're trying to hide the real problems (2, Interesting)

iabervon (1971) | more than 7 years ago | (#15732147)

It's possible that they put a virus on an RFID tag. You can also put a virus in a newspaper or transmit it by reading out a bunch of numbers. But that doesn't mean it will be received in a form that makes it do anything. Presumably, they've found a bug in some RFID-processing software similar to the bugs in lots of data-processing software. Of course, RFID systems are more likely to be completely immune to this sort of input-validation issue, because they're often designed to be full-packet binary database keys, and there is no invalid input that the reader can produce (sort of like how US postal bar codes always read as 11-digit numbers, and, while some of those numbers aren't used, they're always either a real place or no place, not something that breaks the system.

The real security issue is that it's trivial to clone an RFID tag. Using it for identification is like using a piece of paper that can be photocopied, except that the attacker doesn't have to swipe the paper to copy it. But if people only think about the non-fundamental and insignificant flaws with RFID, they can be distracted from the fact that it's entirely inappropriate in the first place.

Where can I get one of these? (1)

pla (258480) | more than 7 years ago | (#15732291)

Sweet!

I really want to know, though, where can I get just such a "viral" RFID tag to stick to the inside cover of my passport?

I just need to wrap the real passport in a modified tinfoil beanie, put the fake one on the outside of the beanie, and laugh heartily as people scan me and then go white in horror at the realization of what they just did to themselves. Bwa-hahahah!

/ only half kidding - I'd do this in a heartbeat if I had the hardware to program my own tags.

Barcodes next ? (1)

Wimmie (446910) | more than 7 years ago | (#15732349)

When can we expect the same story but using a barcode reader as inputdevice for the database ?

Re:Barcodes next ? (1)

aix tom (902140) | more than 7 years ago | (#15733090)

That's what I thought.

And since most systems which READ Barcodes also PRINT barcodes at some point You could even spread it on paper that way. ;-)

Re:Barcodes next ? (1)

Lehk228 (705449) | more than 7 years ago | (#15734007)

at work i crashed a portable barcode scanner/printer accidentally by missing what was in my hand and scanning a code printed on the side of a cardboard case.

Memory Spot (1)

Roy van Rijn (919696) | more than 7 years ago | (#15732429)

I've heard about this research about a year ago or something, and I can still draw the same simple conclusion:

RFID is read-only, a read-only virus can't spread, so it isn't a virus!

Unless you write a really really bad RFID-chip reader which can buffer-overflow and write in memory a simple RFID chip can't do any harm. So its also pretty safe to use...

Don't go thinking about infecting your local supermarket with a new RFID-virus, it'll never happen.

But while we're on it, have you guys heard about HP's Memory Spots [hp.com] ? Its a new kind of wireless chip. The connection is much faster then RFID and the memory size is bigger. The biggest gain is in the size, 2 mm to 4 mm square with a build in antenna!

Duplicate (0)

Anonymous Coward | more than 7 years ago | (#15732462)

This story is from March. It was covered on /. back then too.

http://it.slashdot.org/article.pl?sid=06/03/15/132 4233 [slashdot.org]

Completely Innacurate (3, Informative)

Philodoxx (867034) | more than 7 years ago | (#15732534)

First off this is basically a dupe of http://it.slashdot.org/article.pl?sid=06/03/15/132 4233 [slashdot.org] . It was innacurate when it was first reported and it's innacurate now.

Here is my reply from the original post and it applies here:

"There are a variety of standards on how RFID tags are encoded, all of which break down into partitioning the tag's data into segments to form the unique identifier

For the sake of argument I'll use EPC SGTIN96. In the SGTIN tag has four partitions: Filter, Company Prefix, Item Reference, and Serial Number. Each of these fields is of varying size depending on how big tag is. Typically RFID tags are 96 bits (although some tags can get up to 1Kbit), even using 7 bit ascii there's not a whole lot you can fit in 96 bits. When I poll the reader, or the middleware I'm getting back a number, e.g. 12345 and it's my responsibility to parse through that number to get the fields I'm interested in. In this scenario I would have to be doing some *very* sloppy programming to open myself to an SQL injection attack (something along the lines of treating known numeric data as a string).

ISO and EPC Gen 2 tags do support custom data, which I suppose could be used to store strings but since it is severely space constrained (typically in the range of 2-32 bytes) I question the viability of such an attack. Not to mention that the field will likely be used to writing in ids instead of human readable data. Finally, it is common to encrypt the custom payload on an rfid tag. So even if somebody were to change it to "AND 1 = 1" it would be caught when the program tries to decrypt the tag."

An RFID tag contains just a number; newer RFID tags have support for custom payload but 99% of RFID tags are so space constrained that nobody would put raw strings in the tag. I spent a good chunk of last year devleloping RFID applications and not once did I do a straight lookup on the database from data I pulled from the RFID tag. So while I guess this classifies as a vulnerability somebody who does straight database lookups using RFID tag data will bring down the company long before an RFID tag exploit will.

"The" Andrew S. Tannenbaum (2, Insightful)

x-guru (653854) | more than 7 years ago | (#15732672)

I just wanted to point out that the "Computer Science professor" mentioned in the /. blurb is "The" Andrew S. Tannenbaum, inventor of minix, and author of several textbooks used in Computer Science programs nationwide.

Personally, I would not have posted that article without attaching these links. Tannenbaum is a key player in modern computer science research and education.

Check out his homepage [cs.vu.nl]
and his Wiki [wikipedia.org] biography.

Do RFID tags run Minix? (1)

Fox_E_Mama (902833) | more than 7 years ago | (#15734239)

Yes, one of the advantages of a microkernel is that you can do things like run Minix on an RFID tag -- for educational purposes only, of course... But with a macrokernel such as embedded Linux you can network your RFID tags and create a supercomputer that calculates your inventory for you! Don't even try running Windows CE on these things. You think you have viruses now?

Not really possible on modern RFID systems. (2, Informative)

510madness (989406) | more than 7 years ago | (#15732685)

Unless I missed something obvious (happens), I don't think this is a serious issue...

1) Most malicious SQL statements (i.e ";DELETE FROM USERS;") require more than 64-96 bits, the current standard for RFID tags.

2) Any RFID software system that is compliant with EPCglobal's Tag Data Specification (http://www.epcglobalinc.org) is inherently "immune" to this issue. The TDS spec defines several tag formats for use in software systems that require the tag's binary data to be in hexadecimal or decimal format and futhermore treated as a URI. e.g. urn:epc:raw:64.1234567890. Simply encoding a tag with ";DELETE FROM USERS;" will not cause any damage in an EPCglobal-compliant RFID system because the binary data read from the tag is never used in ASCII format, just decimal and hex.

3) Futhermore, the TDS specifies exactly which bits are to be used for various 'fields' such as 'company', 'item', 'serial number' etc. Most RFID systems perform operations on each field seperately, so any SQL statement would be broken up; ";DELETE FROM USERS;" could become something like ";DELE"."TE FROM"." USERS;". Again this doesn't matter so much because the data is never used in ASCII format, only Hex/Decimal.

In English....

ASCII: ";DELETE FROM USERS;"
Binary: 001110110100010001000101010011000100010101010
100010001010010000001000110010100100100111101
001101001000000101010101010011010001010101001
00101001100111011 (153bits, impossible to fit on Gen1 tags!)
Decimal: 59686976698469327082797732858369828359
URI: urn:epc:raw:153.5968697669846932708279773285836982 8359

As you can see, the URI form of the tag is pretty harmless. :)

And the last time you checked your mail was . . . (1)

ChairmanREG (989429) | more than 7 years ago | (#15732915)

While we appreciate the information, recycling a story every four months is rather counter-productive. The BBC article was dated 15 March 2006 on the same day that the paper was delivered at the Fourth Annual IEEE International Conference on Pervasive Computing and Communications (PerCom) in Pisa, IT. The AIM Global RFID Experts Group (REG) were meeting at the same time in Kyoto that the paper was presented. We respectfully request that Slashdot readers take the opportunity to read our response and proceed with any other questions that you might have on this technology. Our response is posted at http://www.autoid.org/RFID_Experts/rfid_experts.ht m [autoid.org] Warmest regards! Craig K. Harmon Chairman, RFID Experts Group (REG) craig.harmon@qed.org

How to hack the system (1)

houghi (78078) | more than 7 years ago | (#15732961)

I can imagine a situation in LAX or any other large airport, if possible all over the world at the same time:

Sorry, I do not care if you say who you are. The computer who checks the RFID in your passport is telling me to put you under arrest and transport you to Guantanamo. Yes, I know that the same happend to anybody with a passport that has an RFID.

That's Odd.... (1)

penguin_dance (536599) | more than 7 years ago | (#15733085)

I thought the RFID tags WERE the virus!

Tag data no different than web input boxes. (1)

master_p (608214) | more than 7 years ago | (#15733155)

As pointed by other posters, you need validation of tag data before the data reach the database. I have some experience in the field, but I never saw tags with so much memory. The largest I've seen is 128 bits (not bytes).

The Java application I work on uses prepared statements, and according to the Java specs, input data are checked for invalid SQL...therefore code injection is not possible.

I assume other frameworks will offer similar techniques.

Consumer Groups? (1)

Snowtide (989191) | more than 7 years ago | (#15733235)

This is not a technical issue but I found it humorous. A known flaw like this and consumer groups are mentioned as a threat to take advantage of it? Surely they can come up with a better first suspect than that. Bored /.s for starters. :)

Just think of all of the evil things you could do. (1)

eviljolly (411836) | more than 7 years ago | (#15733242)

Like get free EZ-TAG!!!

Wait, this should be the second wake up... (0)

Anonymous Coward | more than 7 years ago | (#15733356)

Does anyone remember the whole deal w/ the gas rfid chips. They were cracked by some researchers. With some equipment in their backback, they could essentially buy gas with someone elses identity. RFID TAGS ARE SIMPLY NOT SECURE ENOUGH TO STORE ANY AMOUNT OF PERSONAL INFORMATION.

Ya, damned RFID (1)

dilvish_the_damned (167205) | more than 7 years ago | (#15733727)

And I hate the way my keyboard handles my drunk posts. It like, does no validation whatsoever. Damned keyboard.
I wish they would build a more secure keyboard.

Who ever wrote that crap? (1)

rrohbeck (944847) | more than 7 years ago | (#15734319)

FTFA: The researchers showed how to get round the limited computational abilities of the smart tags to use them as an attack vector and corrupt databases holding information about what a company has in storage.

Whoever wrote the RFID reading code needs to be shot. Or at least fired and sent back to college.
"Oh yeah, we have an externally read binary string here, let's rely on its structure and assume it is always what we expect." Sweet.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...