News
News
3/16/2006
05:41 PM
Connect Directly
RSS
E-Mail
50%
50%

RFID World Still Reacting Strongly To Virus Research

A researcher who suggests that computer viruses could be spread by RFID technology sets off a firestorm of debate. Industry sources weigh in.

A paper presented by Melanie Rieback, a third-year Amsterdam's Vrije Universiteti PhD student, at the IEEE conference in Pisa, Italy, on Wednesday sent waves through the radio frequency identification (RFID) technology industry.

Rieback's paper "Is Your Cat Infected with a Computer Virus?" suggests computer viruses could spread from RFID tags through readers into poorly written middleware applications and into enterprise backend systems and databases. Rieback "artificially" created a virus, rather than find vulnerabilities in a deployed RFID system.

Industry reaction, while fast and furious in some cases, proved mixed, according to a series of interviews with TechWeb.

"With respect to the students involved, the paper as presented is rather weak," said Kevin Ashton, ThingMagic Inc. vice president, and co-founder of the Massachusetts Institute of Technology (MIT) Auto-ID Center. "The 'real' virus, they claim to demonstrate in the paper, is not a virus, just a self-replicating piece of SQL code."

The paper, however, does call attention to an obvious problem the software industry has faced for years. "Companies need to provide multi-level security and take responsibility for testing before releasing applications to the market," said Julie England, vice president at Texas Instruments Inc.

Those disagreeing with the research findings believe the paper assumes an architectural design not in use today. England calls attention to system-level inaccuracies. RFID tags store numbers, not executable code. The RFID reader expects the RFID tag to transmit numbers. Not an executable command. If a reader receives executable code via a virus, it's highly unlikely it would accept the data.

Consumer product goods and retail companies with RFID supply chain projects underway use electronic product code (EPC) RFID tags that have a 96-bit field. The majority have been assigned to manufacturers for codes to identify retail chain and product category.

"The student researchers think a database picks up the information from a tag and puts it in the buffer, and that's not what happens," said Jeff Woods, vice president of research at Gartner Inc. "Code intervenes, so the idea of SQL insertion is far fetched."

Woods attacked the EPCglobal example in the research paper, but said there are others in the paper that could theoretically play out. Buffer overflows, common sources of security vulnerabilities in software, in the middleware, for instance. "With a buffer overrun on the middleware I could take control of the middleware and get access to the rest of the system," Woods said. "These are very contrived assumptions of the systems actual architecture."

Some experts hope the paper presents a wake-up call. "This should curb enthusiasm and sober-up the industry to some of the technology's downsides, such as vulnerabilities exploited by hackers and viruses," said Katherine Albrecht, co-author of "SPYCHIPS: How Major Corporations and Government Plan to Track Your Every Move with RFID." "I hear from many people who dislike RFID and are willing to exploit vulnerabilities in the technology."

No doubt, the paper raises a legitimate point to secure the infrastructure. Woods said most companies rolling out a RFID infrastructure take a "deploy now, secure later" approach. The reality, for many means "deploy now, secure never."

"RFID has security challenges," Ashton admits. "This isn't one of them." This is a far fetched scenario requiring many improbable security holes to line up just so."

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 20, 2014
CIOs need people who know the ins and outs of cloud software stacks and security, and, most of all, can break through cultural resistance.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.