RFID tags and the software used to track them can be used to spread potentially harmful viruses and worms, according to research presented yesterday.
In a paper entitled Is your cat infected with a computer virus? presented before the IEEE International Conference on Pervasive Computing, three Netherlands-based researchers show how RFID tags can carry malware and propagate via databases along the supply chain.
The security breaches that RFID deployers dread most – RFID malware, RFID worms, and RFID viruses – are right around the corner, wrote the study’s principle researcher, Melanie Rieback, an American PhD student at Vrije university in Amsterdam.
The sky is not falling, of course, and the paper’s main message seems to be that RFID software should not implicitly trust the data it pulls off RFID tags. It should be subject to the same security check as any potentially untrustworthy user input.
The paper’s title refers to a hypothetical scenario outlined in the paper’s introduction, in which a household pet implanted with an infected RFID tag is able to spread an infection to a veterinarian’s computer system, with damaging consequences.
Rieback, and fellow researchers Bruno Crispo and Andrew Tanenbaum, found they were able to execute an SQL injection attack against an Oracle database and Apache web server using 127 characters of data stored on a cheap RFID tag.
SQL injection attacks are well-known from the web applications world. Using escape characters and SQL queries, crackers are sometimes able to interface directly with a back-end database, amending or deleting data as they see fit.
In Rieback’s scenario, the virus uses SQL injection to write itself to a database whenever the infected tag is scanned. In a real-world scenario, this scan could happen when a pallet of goods arrives at a store or warehouse. New tags entering the system would have the viral code written to them.
The manipulation of less than 1 Kbits of on-tag RFID data can exploit security holes in RFID middleware, subverting its security, and perhaps even compromising the entire computer, or the entire network, she wrote.
Rieback’s paper outline a few other types of attack that could work from RFID tags. Even though RFID tags are limited in the amount of data they can store, she found that buffer overflow attacks are even possible, due to looping commands permitted by the RFID spec.
The research could open intriguing new possibilities in the field of virus propagation research.
Old floppy disk viruses spread along social networks, as friends and colleagues physically swapped disks and used them on their own computers. In a similar way, mobile phone viruses that spread via Bluetooth also require physical proximity to spread, much like their biological counterparts.
Email worms also spread along social lines, but over greater distances, using their victim’s address books to find targets. Network worms have tended to have simple algorithms for randomly generating IP addresses to attempt to spread to.
There are not believed to be any recorded cases of malware designed to spread along the supply chain, but the new research seems to indicate that is at least a possibility.