A paper presented by Melanie Rieback, a third-year Amsterdam's Vrije Universiteti PhD student, at the IEEE conference in Pisa, Italy, on Wednesday sent waves through the radio frequency identification (RFID) technology industry.
Rieback's paper "Is Your Cat Infected with a Computer Virus?" suggests computer viruses could spread from RFID tags through readers into poorly written middleware applications and into enterprise backend systems and databases. Rieback "artificially" created a virus, rather than find vulnerabilities in a deployed RFID system.
Industry reaction, while fast and furious in some cases, proved mixed, according to a series of interviews with TechWeb.
"With respect to the students involved, the paper as presented is rather weak," said Kevin Ashton, ThingMagic Inc. vice president, and co-founder of the Massachusetts Institute of Technology (MIT) Auto-ID Center. "The 'real' virus, they claim to demonstrate in the paper, is not a virus, just a self-replicating piece of SQL code."
The paper, however, does call attention to an obvious problem the software industry has faced for years. "Companies need to provide multi-level security and take responsibility for testing before releasing applications to the market," said Julie England, vice president at Texas Instruments Inc.
Those disagreeing with the research findings believe the paper assumes an architectural design not in use today. England calls attention to system-level inaccuracies. RFID tags store numbers, not executable code. The RFID reader expects the RFID tag to transmit numbers. Not an executable command. If a reader receives executable code via a virus, it's highly unlikely it would accept the data.
Consumer product goods and retail companies with RFID supply chain projects underway use electronic product code (EPC) RFID tags that have a 96-bit field. The majority have been assigned to manufacturers for codes to identify retail chain and product category.
"The student researchers think a database picks up the information from a tag and puts it in the buffer, and that's not what happens," said Jeff Woods, vice president of research at Gartner Inc. "Code intervenes, so the idea of SQL insertion is far fetched."
Woods attacked the EPCglobal example in the research paper, but said there are others in the paper that could theoretically play out. Buffer overflows, common sources of security vulnerabilities in software, in the middleware, for instance. "With a buffer overrun on the middleware I could take control of the middleware and get access to the rest of the system," Woods said. "These are very contrived assumptions of the systems actual architecture."
Some experts hope the paper presents a wake-up call. "This should curb enthusiasm and sober-up the industry to some of the technology's downsides, such as vulnerabilities exploited by hackers and viruses," said Katherine Albrecht, co-author of "SPYCHIPS: How Major Corporations and Government Plan to Track Your Every Move with RFID." "I hear from many people who dislike RFID and are willing to exploit vulnerabilities in the technology."
No doubt, the paper raises a legitimate point to secure the infrastructure. Woods said most companies rolling out a RFID infrastructure take a "deploy now, secure later" approach. The reality, for many means "deploy now, secure never."
"RFID has security challenges," Ashton admits. "This isn't one of them." This is a far fetched scenario requiring many improbable security holes to line up just so."