Three computer science researchers are warning that viruses embedded in RFID (radio frequency identification) tags are right around the corner.
No RFID viruses have been released “into the wild” so far, according to the researchers at Vrije Universiteit Amsterdam in the Netherlands. But RFID tags have several characteristics that could be engineered to exploit vulnerabilities in middleware and back-end databases, they say.
“RFID malware is a Pandora’s box that has been gathering dust in the corner of our ‘smart’ warehouses and homes,” the researchers say in a paper they co-authored.
Potential attacks could come in the form of a SQL injection or a buffer overflow attack even though the tags themselves may only store a small bit of information, they say. For demonstration purposes, the researchers created a proof-of-concept, self-replicating RFID virus.
It only took Patrick Simpson, a master’s student at the university, four hours to write a virus small enough to fit on a RFID tag, something previously thought unworkable, says Andrew Tanenbaum, a professor at the university. RFID tags can contain as little as 114 bytes of memory, he says.
Tanenbaum expects vendors to be angry about the publishing of the code, as they have dismissed the possibility of RFID viruses, saying that the amount of memory in the tags is too small, he claims.
“You publish all of the code on the website, and all of [a] sudden, [vendors] are going to start panicking,” Tanenbaum says. “This hopefully will make them take it seriously. This is a wake-up shot before this stuff is deployed in a large scale.”
The purpose of the exercise, the authors say, is to encourage RFID middleware designers to be more careful when writing code. Back-end middleware can contain millions of lines of source code, and if software faults number between six to 16 per 1,000 lines of code, the programs are likely to have many vulnerabilities, the paper says.
RFID tags are increasingly being used in a variety of industries to track items and give a real-time view of inventories. The tags contain data on a particular object or, in some cases, embedded in animals, and that data is typically stored in a database.
Companies can save money by using the tags to keep closer tabs on their property. However, this “pervasive computing utopia” has its dark side, the authors say.
RFID systems may be attractive to criminals because the data contained on them may have a financial or personal nature, such as information stored on digital passports. In addition to causing damage to computer systems, RFID malware may have an effect on real-world objects, the paper says.
Airports are looking to RFID tags to better track baggage. But Tanenbaum says this application could pose a large problem if an RFID tag is read and delivers a much larger set of data in return.
A false tag on a piece of baggage could exploit a buffer overflow, delivering a virus to the RFID middleware, he says. Once the virus code is on the server, it can infect the databases and corrupt subsequent tags or install “backdoors” — small programs that allow for the extrication of data over the internet, he says. “You can hide baggage, [or] reroute baggage to the wrong place — all kinds of mischief. That’s I think a very, very serious thing that even has national security implications.”