RFID use has risen significantly in both the commercial and security markets due to its ability to track mobile workers and vital equipment in real time. However, according to a new study presented at the annual Pervasive Computing and Communications Conference in Pisa, Italy, RFID tags may be susceptible to software viruses or malware. The paper, entitled Is Your Cat Infected With a Computer Virus?, suggests that computer viruses could spread from RFID tags through readers into poorly written middleware applications and backend systems and databases.
Until recently, experts did not foresee the possibility of a virus threat in RFID tags, since the tags hold a very small amount of memory—as little as 128 characters of information.
The paper was spearheaded by American computer scientist Professor Andrew S. Tanenbaum and was written by several graduate students and faculty members from the computer science department at Vrije University in Amsterdam. “We have not found specific flaws” in the commercial RFID software, said Tanenbaum in a recent press release, but “experience shows that software written by large companies has errors in it.”
The researchers acknowledged that in most cases, “inside information” would be required to plant malicious materials. “You’d need to get a copy of the software that the attack site was running on,” explained Tanenbaum in a phone interview. “It tends to not be terribly secret.”
Tanenbaum cited “buffer overflow,” a standard software coding error, as one that may also affect RFID programs. In this case, errors occur when programmers temporarily set aside memory to make room for more information but do not check on the size of the newly acquired data. This can cause the program to break and “trick” the computer into running a malicious program.
Independent computer security specialists agree with the claim that RFID systems may become a serious security issue. Peter Neumann, a computer scientist at research firm SRI International, spoke about a number of RFID security problems in a recent press release, including inadequate identification of users, the risk of counterfeiting or disabling tags and weak encryption in a passport-tracking system currently being developed in the United States.
Industry reaction to the paper has been mixed. AIM Global, the trade association for automatic identification and mobility, is attempting to refute the claims made in Pisa. “Many of the basic assumptions in the paper overlook a number of fundamental design features necessary in automatic data collection systems and good database design,” said AIM Global President Dan Mullen. “Not surprisingly, poor system design, whether capturing RFID tag information, bar code information or keyboard-entered data, will create vulnerabilities.”
The researchers have posted their study on security issues and RFID at www.Rfidvirus.org.