RFID World Still Reacting Strongly To Virus Research - InformationWeek
IoT
IoT
News
News
3/16/2006
05:41 PM
50%
50%
RELATED EVENTS
Faster, More Effective Response With Threat Intelligence & Orchestration Playboo
Aug 31, 2017
Finding ways to increase speed, accuracy, and efficiency when responding to threats should be the ...Read More>>

RFID World Still Reacting Strongly To Virus Research

A researcher who suggests that computer viruses could be spread by RFID technology sets off a firestorm of debate. Industry sources weigh in.

A paper presented by Melanie Rieback, a third-year Amsterdam's Vrije Universiteti PhD student, at the IEEE conference in Pisa, Italy, on Wednesday sent waves through the radio frequency identification (RFID) technology industry.

Rieback's paper "Is Your Cat Infected with a Computer Virus?" suggests computer viruses could spread from RFID tags through readers into poorly written middleware applications and into enterprise backend systems and databases. Rieback "artificially" created a virus, rather than find vulnerabilities in a deployed RFID system.

Industry reaction, while fast and furious in some cases, proved mixed, according to a series of interviews with TechWeb.

"With respect to the students involved, the paper as presented is rather weak," said Kevin Ashton, ThingMagic Inc. vice president, and co-founder of the Massachusetts Institute of Technology (MIT) Auto-ID Center. "The 'real' virus, they claim to demonstrate in the paper, is not a virus, just a self-replicating piece of SQL code."

The paper, however, does call attention to an obvious problem the software industry has faced for years. "Companies need to provide multi-level security and take responsibility for testing before releasing applications to the market," said Julie England, vice president at Texas Instruments Inc.

Those disagreeing with the research findings believe the paper assumes an architectural design not in use today. England calls attention to system-level inaccuracies. RFID tags store numbers, not executable code. The RFID reader expects the RFID tag to transmit numbers. Not an executable command. If a reader receives executable code via a virus, it's highly unlikely it would accept the data.

Consumer product goods and retail companies with RFID supply chain projects underway use electronic product code (EPC) RFID tags that have a 96-bit field. The majority have been assigned to manufacturers for codes to identify retail chain and product category.

"The student researchers think a database picks up the information from a tag and puts it in the buffer, and that's not what happens," said Jeff Woods, vice president of research at Gartner Inc. "Code intervenes, so the idea of SQL insertion is far fetched."

Woods attacked the EPCglobal example in the research paper, but said there are others in the paper that could theoretically play out. Buffer overflows, common sources of security vulnerabilities in software, in the middleware, for instance. "With a buffer overrun on the middleware I could take control of the middleware and get access to the rest of the system," Woods said. "These are very contrived assumptions of the systems actual architecture."

Some experts hope the paper presents a wake-up call. "This should curb enthusiasm and sober-up the industry to some of the technology's downsides, such as vulnerabilities exploited by hackers and viruses," said Katherine Albrecht, co-author of "SPYCHIPS: How Major Corporations and Government Plan to Track Your Every Move with RFID." "I hear from many people who dislike RFID and are willing to exploit vulnerabilities in the technology."

No doubt, the paper raises a legitimate point to secure the infrastructure. Woods said most companies rolling out a RFID infrastructure take a "deploy now, secure later" approach. The reality, for many means "deploy now, secure never."

"RFID has security challenges," Ashton admits. "This isn't one of them." This is a far fetched scenario requiring many improbable security holes to line up just so."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll