Friday, March 24, 2006

RFID Tags Vulnerable to Viruses

The Mayor of Simpleton recently reported that RFID tags are being used by employers to monitor employees movements (raising privacy issues), millions of pets have the chips embedded under their skin, and Wal-Mart requires its top 100 suppliers to apply RFID labels to all shipments. Now comes a story about the dark side of RFID tags: Psst. Your Shiny New Passport Has A Computer Virus.
Basically, the authors say in their 10-page paper that RFID systems can be exploited; like all software, there's definite potential for vulnerabilities to be found and exploited in the software back end of the RFID system. [...]

It's interesting that the authors did not announce any specific vulnerabilities within current RFID software - they didn't even use current RFID software, they created their own. What they were able to do with their own software - and this is their point - was to demonstrate that if a vulnerability exists within the RFID software, that vulnerability could be exploited and used to inject malicious code into the back-end database. The authors were able to create an RFID virus, and previously, that was considered impossible.

Think of RFID viruses as virus-infected e-mail - same principle. As the e-mail moves from user to user, it infects files or databases that come into contact with it. An RFID-virus-infected piece of luggage, for example, could infect RFID-reader software at each airport terminal that scans the RFID label, thus crippling hundreds of airport databases in a few short hours. The same would be true of an infected RFID-enabled passport, a type of document that's set to take effect in the United States in October. Either of these events could shut down the entire system, create longer lines, and possibly delay flights. [...]

The RFID report authors also worry that corporations and governments are hastily considering merging whole databases behind RFID technology. [...] Shortly after the September 11 attacks, former Attorney General John Ashcroft proposed a megadatabase in the United States combining content from the Justice Department, the State Department, the IRS, and even health insurance companies and credit bureaus. Fortunately, Congress balked at the idea. Now, imagine if someone working on the U.S. Passport RFID system becomes disgruntled and knows how to exploit a buffer overflow on the system when it comes online this October. It's one thing to cripple or compromise the State Department's database, but it's another when you start spreading the mess to credit bureaus and such.
So what can be done to prevent problems? Technology experts have developed security precautions; however, they also point out there is little oversight of RFID systems, and often no testing requirements in place for these systems. That sure doesn't make me feel safe and secure.


His Honor the Mayor said...

This stuff really scares me. In the past, I have usually scoffed at people telling tales of "Big Brother" being around the corner, (my aunt thought that the advent of cable tv in the early 80's would usher him in), but this stuff really has the potential of erasing any sense of privacy completely.

Kvatch said...

The whole "Virus in RFID tags" issue is a bunch of MSM "It makes good copy so let's print it" hoohaa.

Setting aside that an RFID virus might breach the confidentiality of personal data in an RFID tag, as with your passport, the real issue is that many aggregated databases are already suseptable to intrusion. And in that sense, the RFID problem is no more serious than the existing problem of 100,000's of MS SQL Server DBMSs being crippled due to the latest exploited vulnerability.

Despite the additional vector, the problem still has to be solved in easiest, soundest, and most cost effective manner--In the database management system software itself. This becomes even more important with the creation of the "mega" databases that you describe.

Having the MSM focus on the vector is what Bruce Schneier of Schneier on Security refers to as, "responding to a movie plot threat".

His Honor the Mayor said...

Gee...thanks for clearing that up for us kvatch.

Kathy said...

Kvatch, the virus issue may be hoohaa as you say, but if it lights a match under people to implement more oversight and testing that's good.

The Department of Defense is the largest user of these tags next to Wal-Mart. If a virus exploits their inventory or shipping containers during critical circumstances, couldn't that be dangerous, especially if they're shipping urgent medical supplies, weapons, etc.?

I'm not a computer expert, but it seems to me a disgruntled employee could wreck a lot of havoc through the financial world with one of these viruses. And just imagine the panic it would cause across the country if all our major airports were compromised at the same time.

The media may indeed be blowing this out of proportion, and the viruses may not result in any danger to our country or safety, but I still think an ounce of prevention is in store - just in case.

Also, Mayor, I agree with you about the privacy issues. I'd never work for an employer who required me to wear one of the tags. It's bad enough that security cameras are focused on us whenever we're in public. I've seen first hand how security personnel can abuse their privileges. The guards at a department store I once worked for used to zoom in on women who wore low cut tops, and one guard used to make sure he was on the cameras whenever a certain female came into or left the store - and it wasn't because she was a shoplifter! This is a benign example, but I think there are people who have the potential to exploit their positions and take advantage of these cameras, tags, etc.

Kvatch said...

...couldn't that be dangerous, especially if they're shipping urgent medical supplies, weapons, etc.?

Kathy, sorry for not getting back to this for a bit. You're right, it can be dangerous...very dangerous. But what I was trying to point out was that focussing on the RFID tags and their vulnerabilities is the wrong focus.

The solutions to securing critical resources, especially computer resources, need to be applied near the resources. It is possible to implement reliable security and privacy controls on databases but very heard to attempt to secure every kind of device that communciates with a critical database. In an environment where money and will to secure our infrastructure is limited, we need to make sure that the focus is on a solvable problem.

Kathy said...

Thanks for clearing that up for me, Kvatch. Now I understand, and I agree. The focus should be on safeguarding the databases instead of worrying about the tags.