I read about RFID viruses some time ago but I hadn’t commented anything here because I didn’t see the point of it.
Let’s situate ourselves. Some investigators from Vrije University, at Amsterdam, wrote some papers predicting the apparition of RFID viruses, explaining how to code them and giving some examples. Although it can work theoretically, I don’t think these viruses pose any threat in the near future.
RFID tags do not contain code, they only contain some data which can be read with an appropriate scanner. The basis of the papers these investigators wrote is that the software controlling the reading of the data will contain bugs that will allow this data to get executed. Technically, this is known as SQL injection, where data is interpreted as SQL code and executed by the database. This is a known trick which has been used by hackers for a long time, allowing them to deface websites and other nasty things.
But, in the physical world, it will be more difficult to make this work. First of all, you will need to know how the software you want to hack works. This is much easier in the web, where many times you can get the source code for the application you want to hack and can examine it line by line. In real world, not many applications will be available for inspection. For example, your local supermarket using RFID won’t allow you to have a look at their source code.
This doesn’t imply it can’t be done, as with some experimentation one can guess how the system is built and how to work around it, but will probably limit a lot the attacks.
For me, the privacy implications of RFID are more important than the probability of a RFID virus appearing some day, and this is something that has not been extensively discussed.
From | Help Net Security
0 Responses to “RFID viruses are not a problem”