Three computer researchers created a stir Wednesday when they released a paper at a conference in Pisa, Italy, describing how to infect Radio Frequency Identification (RFID) tags with a computer virus, but the likelihood of a digital disease rampaging through the world’s supply chains is slim, at least for now.
“The likelihood of something like this occurring is extremely low at this point,” Ray Wagner, a research vice president at the Gartner Group in Stamford, Conn., told the E-Commerce Times. “I don’t expect some kind of RFID virus to appear in the wild anytime soon.”
He acknowledged, however, that as RFID tags begin to replace bar codes as a means to identify products and insinuate themselves into other applications such as passport identification and credit card validation, the threat of a tag-born virus will increase.
“As we move toward commoditization,” he said, “if 1,000 companies buy an RFID tracking system and that system has a flaw in it that could be exploited by a virus small enough to fit on an RFID [tag], it is certainly possible that someone might attack those systems.”
In their paper, the trio of researchers from Vrije Universiteit Amsterdam — Andrew S. Tanenbaum, Bruno Crispo and Melanie R. Rieback — argued that RFID malware is a “Pandora’s box” for the industry.
“While the idea of RFID viruses has surely crossed people’s minds, the desire to see RFID technology succeed has suppressed any serious consideration of the concept,” they wrote.
“Furthermore,” they added, “RFID exploits have not yet appeared ‘in the wild’ so people conveniently figure that the power constraints faced by RFID tags make RFID installations invulnerable to such attacks.”
A particular target of the researchers was RFID middleware.
“This paper is meant to serve as a warning that data from RFID tags can be used to exploit back-end software systems,” the threesome wrote. “RFID middleware writers must therefore build appropriate checks … to prevent RFID middleware from suffering all of the well-known vulnerabilities experienced by the Internet.”
While some kinds of RFID tags may be ripe for infection, others are less likely to be so, according to Ken Traub, CTO for RFID for BEA Systems, which makes RFID middleware.
Speaking to the E-Commerce Times from BEA’s offices in Burlington, Mass., Traub explained that “passive” RFID tags are not much more than a radio version of a bar code.
“It’s not possible for a tag to deliver any software, virus or malicious agent because all it has on it is a 96-bit number,” he contended.
However, Gartner security expert Wagner noted, “Ninety-six bits is pretty small, but we’ve seen some viruses not significantly larger than that.”
According to the researchers, middleware exploitation requires ingenuity, not resources.
“The manipulation of less than [1000 bits] of on-tag RFID data can exploit security holes in RFID middleware, subverting its security, and perhaps even compromising the entire computer, or the entire network!” they wrote.
In their paper, they asserted that RFID tags can be used for a number of security exploits including creating buffer overflows, code insertions and SQL injections.
“The risks of RFID technologies are quite diverse,” Peter Neumann, a computer scientist with SRI International in Menlo Park, Calif., told the E-Commerce Times.
“It’s not just one class of risk,” he said. “This is a huge problem waiting to happen.”
Other risks are far less exotic than computer viruses, but can be equally dangerous. “How do you know that the chip on a container when it arrives in the United States is the same chip as was there when it was shipped?” Neumann asked. “Typically, you don’t.”
Security will be an important concern if RFID is to flourish, according to Erik Michielsen, director for RFID and M2M research at ABI Research in Oyster Bay, N.Y.
“Security is incredibly important to the overall market’s success and viability,” he told the E-Commerce Times.
“Security concerns have been typically raised in all end technology markets,” he observed. “Wireless networking, client-server computing, peer-to-peer computing — all have had security issues arise and the information technology industry and the software industry have made it one of their core priorities to stay on top of these issues as they come into play and address them.”