Basically, the authors say in their 10-page paper that RFID systems can be exploited; like all software, there's definite potential for vulnerabilities to be found and exploited in the software back end of the RFID system. [...]So what can be done to prevent problems? Technology experts have developed security precautions; however, they also point out there is little oversight of RFID systems, and often no testing requirements in place for these systems. That sure doesn't make me feel safe and secure.
It's interesting that the authors did not announce any specific vulnerabilities within current RFID software - they didn't even use current RFID software, they created their own. What they were able to do with their own software - and this is their point - was to demonstrate that if a vulnerability exists within the RFID software, that vulnerability could be exploited and used to inject malicious code into the back-end database. The authors were able to create an RFID virus, and previously, that was considered impossible.
Think of RFID viruses as virus-infected e-mail - same principle. As the e-mail moves from user to user, it infects files or databases that come into contact with it. An RFID-virus-infected piece of luggage, for example, could infect RFID-reader software at each airport terminal that scans the RFID label, thus crippling hundreds of airport databases in a few short hours. The same would be true of an infected RFID-enabled passport, a type of document that's set to take effect in the United States in October. Either of these events could shut down the entire system, create longer lines, and possibly delay flights. [...]
The RFID report authors also worry that corporations and governments are hastily considering merging whole databases behind RFID technology. [...] Shortly after the September 11 attacks, former Attorney General John Ashcroft proposed a megadatabase in the United States combining content from the Justice Department, the State Department, the IRS, and even health insurance companies and credit bureaus. Fortunately, Congress balked at the idea. Now, imagine if someone working on the U.S. Passport RFID system becomes disgruntled and knows how to exploit a buffer overflow on the system when it comes online this October. It's one thing to cripple or compromise the State Department's database, but it's another when you start spreading the mess to credit bureaus and such.
Friday, March 24, 2006
RFID Tags Vulnerable to Viruses
The Mayor of Simpleton recently reported that RFID tags are being used by employers to monitor employees movements (raising privacy issues), millions of pets have the chips embedded under their skin, and Wal-Mart requires its top 100 suppliers to apply RFID labels to all shipments. Now comes a story about the dark side of RFID tags: Psst. Your Shiny New Passport Has A Computer Virus.