Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

NYT on RFID Viruses

From: David Farber <dave () farber net>
Date: Wed, 15 Mar 2006 14:09:12 -0500


Begin forwarded message:

From: Ross Stapleton-Gray <amicus () well com>
Date: March 15, 2006 2:02:14 PM EST
To: Dave Farber <dave () farber net>, "johnmac's living room" <johnmacsgroup () yahoogroups com> 
Subject: NYT on RFID Viruses
John Markoff reports on a paper being presented today by researchers from the computer science department at Vrije Universiteit in Amsterdam, claiming that RFID tags can be infected with viruses: 
http://www.nytimes.com/2006/03/15/technology/15tag.html
The examples given, though, seem rather fancifal, and there's a lot of blurring of technologies, e.g., Peter Neumann's quote that, "It shouldn't surprise you that a system that is designed to be manufactured as cheaply as possible is designed with no security constraints whatsoever," may be quite apt in describing early generations of tags, e.g., where all they are are passive beacons spitting out a unique serial to anyone who asks (hence aren't confidential, something like a screaming baby in a crowded restaurant), but it's a huge stretch to extrapolate from that that later tags will be easily "infectable," that readers will be shot through with buffer overflow errors, etc.
I think we'll find that the vast majority of RFID deployments are rather constrained... a baggage tag scanning system is going to spend all of its time, well, scanning bags. And that means looking for a specific format, reading it, and ignoring anything that isn't what you're looking for. Could a particular flavor of RFID reader being used in a baggage handling application have a buffer overflow bug? Perhaps, but easily checked. (And even were there such a fault, bootstrapping up into commandeering the baggage management system seems pretty ambitious, and, again, probably pretty easily detected.)
What is true is that there a lot of areas of potential security and privacy risks with RFID; some are inherent in the technology (e.g., it's trivial to "counterfeit" a tag, for those tags intended to be cheap and simple, but you don't rely on the tag ID being uncopyable, you assume it can be, and use such tags only for the same things you'd use a print bar code for... retailers have had to deal with customers affixing bogus bar codes over real ones, and RFID will see the same threats) and others arise from how we engineer systems.
Very buggy operating systems on PCs, and even now on cell phones, should certainly cause us to be aware of the threat of viruses, but I'd rate viruses-via-RFID as only a little more plausible than picking up a book in the library and having your DNA remapped by random As, Cs, Gs and Ts from the text... 

Ross


----
Ross Stapleton-Gray, Ph.D.
Stapleton-Gray & Associates, Inc.
http://www.stapleton-gray.com
http://www.sortingdoor.com
ross () stapleton-gray com






-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: