While some might say that RFID technology itself is a virus set to spread the earth (a demonic one at that, according to a few), a recent investigation by security researchers has revealed that RFID tags could be used to spread computer viruses. But is the threat of a virus from an RFID tag real, or will they be stopped before they ever become an issue?
First, a quick lesson on RFID, for those of you not keeping up with the times. RFID (Radio Frequency IDentification) tags, are tiny devices which, when activated, send out a string of data to a receiving device.
There are a number of different types of RFID tag. Some receive an activation radio signal from a reading device, collect power from that very signal, and use it to power the transmission of their response. They have no internal power, and are known as passive. Then we have semi-passive, which have their own power supply, but await a signal before sending out their message. Finally there's active, which sends out a beacon every now and then, using its own power source.
Manufacturing costs mean that passive RFID tags are the most commonly available, but what are they used for? The biggest application is stock control. Think of an RFID tag as a barcode. Scanning the barcode, or RFID tag, returns to the reading device a unique ID string, which can then be looked up in the stock-control database. Other applications include security, with a small number of companies now requiring staff to have on their person (sometimes even implanted) an RFID tag that grants them access to a secure area.
When RFIDs attack
RFID tags can be tiny; we're talking rice grain size, so in theory they could be anywhere and everywhere, which for some raises privacy concerns. Those concerns aside, however, what about viruses? How can a tiny device, the majority of which are passive, spread viruses?
BBC News is today reporting that a team of researchers have managed to write a 127-character long string to an RFID chip that, when read and processed by the back-end database software, can cause database corruption. So, any time an 'infected' tag is read, database corruption could occur, ultimately causing havoc, possibly across multiple databases. Hilariously, the BBC article includes a picture of a bunch of cat food cans, suggesting that your groceries could be the next cause of catastrophic computer meltdown.
Although this sounds like a nasty situation, I don't think RFID is going to be causing any huge issues for a while, provided we're sensible about a few things. The wording of the aforementioned story suggests that the data encoded onto the RFID tag exploited the fact that the reader, or subsequent software, wasn't checking the validity or integrity of the string read from the tag. This is akin to code designed to cause buffer overflows, or SQL code injections... all the types of attack that exploit what is usually lazy, or careless programming. Indeed, upon a quick perusal of the actual research paper, the attack was an SQL code injection.
Providing the software using the RFID tag strings is written properly, I see no reason why a malformed (corrupted or constructed) string would ever have to cause a problem. However, it is important that this issue is fixed, as it could just as easily be a corrupt tag causing havoc as it could be a malicious RFID programmer. That's not to say plugging holes like this is the easiest job in the world... all good programmers know that no piece of software is without bugs.
There are some interesting things to think about when it comes to how an RFID virus might spread. Perhaps the tags could reprogram each other, replicating the virus to any tag within range. That could be a pain. Then, providing the tag had enough memory (give them time) it could perhaps inject malicious code into the device that's reading it, or software sat behind it, to get some other form of nasty spreading around 'higher-level' computing devices... the RFID acting as the virus seed.
Indeed, there are a number of possibilities, some feasible, others a little more 'sci-fi' than practical. Still, the discovery made by the researchers isn't going to harm the future of RFID (like it or not,) providing how RFID tags are read and processed is controlled.
Am I missing something here? Do you agree with me, or do you have a different angle to put on the threats from RFID viruses? Let's hear your opinion in the HEXUS.community.
HEXUS.links
BBC News :: Viruses leap to smart radio tags
Wikipedia :: RFID
RFIDvirus.org :: Is your cat infected with a computer virus?