News
News
3/16/2006
05:41 PM
50%
50%

RFID World Still Reacting Strongly To Virus Research

A researcher who suggests that computer viruses could be spread by RFID technology sets off a firestorm of debate. Industry sources weigh in.

A paper presented by Melanie Rieback, a third-year Amsterdam's Vrije Universiteti PhD student, at the IEEE conference in Pisa, Italy, on Wednesday sent waves through the radio frequency identification (RFID) technology industry.

Rieback's paper "Is Your Cat Infected with a Computer Virus?" suggests computer viruses could spread from RFID tags through readers into poorly written middleware applications and into enterprise backend systems and databases. Rieback "artificially" created a virus, rather than find vulnerabilities in a deployed RFID system.

Industry reaction, while fast and furious in some cases, proved mixed, according to a series of interviews with TechWeb.

"With respect to the students involved, the paper as presented is rather weak," said Kevin Ashton, ThingMagic Inc. vice president, and co-founder of the Massachusetts Institute of Technology (MIT) Auto-ID Center. "The 'real' virus, they claim to demonstrate in the paper, is not a virus, just a self-replicating piece of SQL code."

The paper, however, does call attention to an obvious problem the software industry has faced for years. "Companies need to provide multi-level security and take responsibility for testing before releasing applications to the market," said Julie England, vice president at Texas Instruments Inc.

Those disagreeing with the research findings believe the paper assumes an architectural design not in use today. England calls attention to system-level inaccuracies. RFID tags store numbers, not executable code. The RFID reader expects the RFID tag to transmit numbers. Not an executable command. If a reader receives executable code via a virus, it's highly unlikely it would accept the data.

Consumer product goods and retail companies with RFID supply chain projects underway use electronic product code (EPC) RFID tags that have a 96-bit field. The majority have been assigned to manufacturers for codes to identify retail chain and product category.

"The student researchers think a database picks up the information from a tag and puts it in the buffer, and that's not what happens," said Jeff Woods, vice president of research at Gartner Inc. "Code intervenes, so the idea of SQL insertion is far fetched."

Woods attacked the EPCglobal example in the research paper, but said there are others in the paper that could theoretically play out. Buffer overflows, common sources of security vulnerabilities in software, in the middleware, for instance. "With a buffer overrun on the middleware I could take control of the middleware and get access to the rest of the system," Woods said. "These are very contrived assumptions of the systems actual architecture."

Some experts hope the paper presents a wake-up call. "This should curb enthusiasm and sober-up the industry to some of the technology's downsides, such as vulnerabilities exploited by hackers and viruses," said Katherine Albrecht, co-author of "SPYCHIPS: How Major Corporations and Government Plan to Track Your Every Move with RFID." "I hear from many people who dislike RFID and are willing to exploit vulnerabilities in the technology."

No doubt, the paper raises a legitimate point to secure the infrastructure. Woods said most companies rolling out a RFID infrastructure take a "deploy now, secure later" approach. The reality, for many means "deploy now, secure never."

"RFID has security challenges," Ashton admits. "This isn't one of them." This is a far fetched scenario requiring many improbable security holes to line up just so."

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.