RFID World Still Reacting Strongly To Virus Research

["Richard M. Smith" <rms () bsf-llc com>]

RFID World Still Reacting Strongly To Virus Research 


A researcher who suggests that computer viruses could be spread by RFID
technology sets off a firestorm of debate. Industry sources weigh in.



By Laurie Sullivan,  
March 16, 2006 
URL:
http://www.informationweek.com/story/showArticle.jhtml?articleID=183700423
<http://www.informationweek.com/story/showArticle.jhtml?articleID=183700423>





A paper presented by Melanie Rieback, a third-year Amsterdam's Vrije
Universiteti PhD student, at the IEEE conference in Pisa, Italy, on
Wednesday sent waves through the radio frequency identification (RFID)
technology industry. 


Rieback's paper "Is Your Cat Infected with a Computer Virus?" suggests
computer viruses could spread from RFID tags through readers into poorly
written middleware
<http://www.techweb.com/encyclopedia/defineterm.jhtml?term=middleware&x=&y=>
applications and into enterprise backend systems and databases. Rieback
"artificially" created a virus, rather than find vulnerabilities in a
deployed RFID
<http://www.techweb.com/encyclopedia/defineterm.jhtml?term=RFID&x=&y=>
system. 


Industry reaction, while fast and furious in some cases, proved mixed. 


"With respect to the students involved, the paper as presented is rather
weak," said Kevin Ashton, ThingMagic Inc. vice president, and co-founder of
the Massachusetts Institute of Technology (MIT) Auto-ID Center. "The 'real'
virus, they claim to demonstrate in the paper, is not a virus, just a
self-replicating piece of SQL
<http://www.techweb.com/encyclopedia/defineterm.jhtml?term=SQL&x=&y=>
code." 


The paper, however, does call attention to an obvious problem the software
industry has faced for years. "Companies need to provide multi-level
security and take responsibility for testing before releasing applications
to the market," said Julie England, vice president at Texas Instruments Inc.



Those disagreeing with the research findings believe the paper assumes an
architectural design not in use today. England calls attention to
system-level inaccuracies. RFID tags store numbers, not executable code. The
RFID reader expects the RFID tag
<http://www.techweb.com/encyclopedia/defineterm.jhtml?term=tag&x=&y=>  to
transmit numbers. Not an executable command. If a reader receives executable
code via a virus, it's highly unlikely it would accept the data. 


Consumer product goods and retail companies with RFID supply chain projects
underway use electronic product code (EPC) RFID tags that have a 96-bit
field. The majority have been assigned to manufacturers for codes to
identify retail chain and product category. 


"The student researchers think a database picks up the information from a
tag and puts it in the buffer, and that's not what happens," said Jeff
Woods, vice president of research at Gartner Inc. "Code intervenes, so the
idea of SQL insertion is far fetched." 


Woods attacked the EPCglobal example in the research paper, but said there
are others in the paper that could theoretically play out. Buffer
<http://www.techweb.com/encyclopedia/defineterm.jhtml?term=Buffer&x=&y=>
overflows, common sources of security vulnerabilities in software, in the
middleware, for instance. "With a buffer overrun on the middleware I could
take control of the middleware and get access to the rest of the system,"
Woods said. "These are very contrived assumptions of the systems actual
architecture." 


Some experts hope the paper presents a wake-up call. "This should curb
enthusiasm and sober-up the industry to some of the technology's downsides,
such as vulnerabilities exploited by hackers and viruses," said Katherine
Albrecht, co-author of "SPYCHIPS: How Major Corporations and Government Plan
to Track Your Every Move with RFID." "I hear from many people who dislike
RFID and are willing to exploit vulnerabilities in the technology." 


No doubt, the paper raises a legitimate point to secure the infrastructure.
Woods said most companies rolling out a RFID infrastructure take a "deploy
now, secure later" approach. The reality, for many means "deploy now, secure
never." 


"RFID has security challenges," Ashton admits. "This isn't one of them."
This is a far fetched scenario requiring many improbable security holes to
line up just so." 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.