RFID World Still Reacting Strongly To Virus Research - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


RFID World Still Reacting Strongly To Virus Research

A researcher who suggests that computer viruses could be spread by RFID technology sets off a firestorm of debate. Industry sources weigh in.

A paper presented by Melanie Rieback, a third-year Amsterdam's Vrije Universiteti PhD student, at the IEEE conference in Pisa, Italy, on Wednesday sent waves through the radio frequency identification (RFID) technology industry.

Rieback's paper "Is Your Cat Infected with a Computer Virus?" suggests computer viruses could spread from RFID tags through readers into poorly written middleware applications and into enterprise backend systems and databases. Rieback "artificially" created a virus, rather than find vulnerabilities in a deployed RFID system.

Industry reaction, while fast and furious in some cases, proved mixed, according to a series of interviews with TechWeb.

"With respect to the students involved, the paper as presented is rather weak," said Kevin Ashton, ThingMagic Inc. vice president, and co-founder of the Massachusetts Institute of Technology (MIT) Auto-ID Center. "The 'real' virus, they claim to demonstrate in the paper, is not a virus, just a self-replicating piece of SQL code."

The paper, however, does call attention to an obvious problem the software industry has faced for years. "Companies need to provide multi-level security and take responsibility for testing before releasing applications to the market," said Julie England, vice president at Texas Instruments Inc.

Those disagreeing with the research findings believe the paper assumes an architectural design not in use today. England calls attention to system-level inaccuracies. RFID tags store numbers, not executable code. The RFID reader expects the RFID tag to transmit numbers. Not an executable command. If a reader receives executable code via a virus, it's highly unlikely it would accept the data.

Consumer product goods and retail companies with RFID supply chain projects underway use electronic product code (EPC) RFID tags that have a 96-bit field. The majority have been assigned to manufacturers for codes to identify retail chain and product category.

"The student researchers think a database picks up the information from a tag and puts it in the buffer, and that's not what happens," said Jeff Woods, vice president of research at Gartner Inc. "Code intervenes, so the idea of SQL insertion is far fetched."

Woods attacked the EPCglobal example in the research paper, but said there are others in the paper that could theoretically play out. Buffer overflows, common sources of security vulnerabilities in software, in the middleware, for instance. "With a buffer overrun on the middleware I could take control of the middleware and get access to the rest of the system," Woods said. "These are very contrived assumptions of the systems actual architecture."

Some experts hope the paper presents a wake-up call. "This should curb enthusiasm and sober-up the industry to some of the technology's downsides, such as vulnerabilities exploited by hackers and viruses," said Katherine Albrecht, co-author of "SPYCHIPS: How Major Corporations and Government Plan to Track Your Every Move with RFID." "I hear from many people who dislike RFID and are willing to exploit vulnerabilities in the technology."

No doubt, the paper raises a legitimate point to secure the infrastructure. Woods said most companies rolling out a RFID infrastructure take a "deploy now, secure later" approach. The reality, for many means "deploy now, secure never."

"RFID has security challenges," Ashton admits. "This isn't one of them." This is a far fetched scenario requiring many improbable security holes to line up just so."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
IT Spending Forecast: Unfortunately, It's Going to Hurt
Jessica Davis, Senior Editor, Enterprise Apps,  5/15/2020
Helping Developers and Enterprises Answer the Skills Dilemma
Joao-Pierre S. Ruth, Senior Writer,  5/19/2020
Top 10 Programming Languages in Demand Right Now
Cynthia Harvey, Freelance Journalist, InformationWeek,  4/28/2020
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll