Fluffy Doesn’t Feel So Good: When Bad Computer Viruses Infect Good Dogs
Posted by Kaustuv Das
Earlier I had reported on Professor Shamir’s announcement at RSAConference 2006 that it is possible to kill RFID tags using power consumption based attacks. Now, Melanie Rieback, Bruno Crispo, and Andrew Tanenbaum, all from the Computer Systems Group at the Free University of Amsterdam, have announced that it is possible to spread computer viruses and worms using RFID tags.
In a paper submitted to the IEEE’s Fourth Annual International Conference on Pervasive Computing and Communications, the authors give a detailed explanation of how to program a self-replicating RFID virus. The main idea behind RFID viruses and worms is that it is fairly easy to program RFID tags with commercially available writers and that it will be easy to attack the middleware and databases using the very readers that are set up to read the tags. The paper explains that programmers can use RFID tags to attack the back-end middleware utilizing the following types of exploits: buffer overflows, code insertion, and SQL injection. The associated website—RFID Viruses and Worms—gives a step-by-step tutorial for creating RFID viruses and worms.
Ms. Rieback, Mr. Crispo, and Mr. Tanenbaum acknowledge the danger of making such detailed instructions so readily available to the public, but explain that “it has been our experience that when talking to people in charge of RFID systems, they often dismiss security concerns as academic, unrealistic, and unworthy of spending any money on countering, as these threats are merely ‘theoretical.’ By making code for RFID ‘malware’ publicly available, we hope to convince them that the problem is serious and had better be dealt with, and fast.”
The authors provide some examples of how RFID malware could be used to disrupt commerce, but ignore the very real threat of the havoc RFID malware could play on national security as the United States moves towards passports with RFID tags embedded in them. Although I question whether it makes a lot of sense to provide a tutorial on creating RFID malware in an attempt to prevent RFID malware, I do hope that publishers of RFID middleware take Ms. Rieback, Mr. Crispo, and Mr. Tanenbaum up on their offer to lock down the middleware against well-known and well-understood attacks. Otherwise, in their words, “[p]eople will never have the luxury of blindly trusting the data in their cat again.”