RFID Viruses: Wake Up Call or Non-Story?
By Rick Moss
In the last week, since the release of a white paper written by a group of researchers from the University of Amsterdam describing the possibility of embedding RFID tags with code viruses, headlines have circled the globe and RFID experts have weighed in on the legitimacy of the threat.
As reported in rfidwatch weekly, on the “just hold on a minute” side are those who say there is not much relevance to the claims.
“It’s of hypothetical interest but not much more,” says Bill Colleran, president and CEO at Impinj, a maker of RFID tags and readers. “I think it’s been kind of overblown and I don’t anticipate that we’ll see much problem with viruses. There’s very little data on a tag and secondly, it’s data – not programmable code.”
Others point out that, although a technical possibility, fundamental design safeguards and procedures would certainly prevent such incidents – facts that were side-stepped by the authors of the white paper.
“In other words, the researchers built a system with a weakness and then proceeded to show how the weakness could be exploited,” commented Dan Mullen, president of AIM Global. “Not surprisingly, poor system design, whether capturing RFID tag information, bar code information or keyboard-entered data will create vulnerabilities.”
Nevertheless, some say that the researchers’ warnings are not without merit.
“Most systems that are out there today would not be vulnerable to these types of virus attacks because of the way they are architected,” says Jeff Woods, vice president of research at Gartner Inc. “However, in order to avoid these kinds of attacks, systems have to be properly implemented. And if people are not thinking about these types of security issues, the systems inevitably end up with these types of holes in them.”
Moderator’s Comment: Is the RFID virus theory nothing more than overblown speculation, or does it hold an important message for the industry to remain
vigilant?
As far fetched as an RFID virus may sound, hackers have a tendency to get even more inspired when experts say, “It can’t be done.” Somehow, I don’t think
we’ve heard the last of these scares. –
Rick Moss – Moderator
Any change, especially a revolutionary technology, will have hiccups and nay-sayers in the early stages. I bet the Stone Age man, upon discovering fire, proclaimed that it burned his fingers. Once the glitches are fixed and legitimate concerns are addressed, RFID will be a boon to everyone concerned.
Vigilance is wise, but I think the threat has been overblown. BTW, it is perfectly legal to smoke marijuana in Amsterdam.
My thoughts fit right in with the fire and catastrophe motif. There are two kinds of arsonists, those who burn for thrills and those who burn for money. Neither kind will deter us from building, and as we become more adept at locking up these criminals, there will be fewer of them. Same is true of malicious hackers, and what we are building electronically for the future.
Any programmable technology can potentially be compromised but that doesn’t mean we should dump all our computers, the Internet, etc. Fraud is an ancient business and, no matter what the system, there will be somebody out there who’ll figure a way around it.
Fire still burns my fingers but I keep grilling. If the cave man burned his fingers, it only affected one person but if RFID is manipulated, how many will it affect? This is the same old battle of staying ahead of the technology. This generation of the world will have more knowledge about building and hacking systems then any other before it. The real danger is with companies that push forward without thinking through the consequences. Companies have to build a prevention plan into every model. As for RFID, it is not going anywhere.
I’m sure the “RFID virus” scenario has very defensible technical (and socio-political) arguments as a basis, AND I do advocate reasonable “anticipatory security” at every turn in today’s crazy world, but I do ultimately land in the “overblown speculation” camp. There are very legitimate concerns, challenges, and trade-offs associated with every new technology … this will be no different, even though (technically) the technology isn’t really all that new! I wonder what the Amsterdam authors’ position is on “privacy issues.”
One thing we have seen with the rapid expansion of information technology is that if it can be done it will be done. There are enough hackers out there with a passionate dislike for big business that it seems inevitable that someone will succeed in embedding a bug in RFID. However, that does not suggest that RFID should be avoided. It just means the IT security industry has a new product category.
RFID tags are like barcodes, not computers on the internet. They are no more susceptible to viruses then barcodes. Since barcode has been around for 40 years, I would expect the first virus, which I do not believe is possible, will come from barcode, and as far as I know, nobody is worried about that possibility.
Clearly the professor, who is raising the fire alarm, is selling fire insurance. But, I don’t believe there is match big enough to start a fire.
Do you have to see your house on fire before you buy fire insurance? Many people don’t believe they’ll get viruses or worms in Macs, cell phones, or RFID tags. Of course, once they get a virus, they’ll believe they need protection. It never occurred to me that someone would destroy the World Trade Center, but when I stood on my roof and saw it, I realized that catastrophes can occur, even if they’re unlikely. So if we know it can happen, why not try to prevent it?
At first I said it couldn’t be done. Then I thought about it and realized exactly how it – could – happen. Then I realized that even if you did have the unique combination of events that allowed an RFID virus to exist, that the code processing the RFID code would probably crash on EVERY RFID code, not just the one’s that have a virus.
The biggest issue is simply that most viruses propagate by tricking people; that won’t work here since there are no people involved. So you’re stuck with the second most common approach – which is a buffer overrun. However, buffer overrun attacks tend to rely on variable length data, while RFID codes tend to be fixed length. Meaning that EVERY RFID code would cause a buffer overrun… so it would probably be caught in testing and never put into production, as it’s unlikely that a single code could be scanned successfully.
So there are no guarantees, but I would put the odds at closer to 1 in a billion, or even 1 in a trillion or less that there will ever be an RFID virus that amounts to anything. (Note that technologies other than RFID are a whole different matter – for example, phone texting and things built on it use variable length buffers, and are therefore ripe for buffer overruns in poorly written, unmanaged code.)