Malware in the Air?
In a paper being presented today at the Pervasive Computing and Communications Conference in Pisa, Italy, sponsored by the Institute of Electrical and Electronics Engineers Inc. (IEEE) , a group of computer scientists show just how susceptible radio-frequency tags may be to malware.
"Up until now, everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify backend software, and certainly not in a malicious way," the paper's authors write. "Unfortunately, they are wrong."
Under certain conditions, they say, RFID tags can be intentionally infected with viruses that can then find their way into the backend databases used by the RFID software.
As RFID spreads from retail supply-chain applications to a host of uses in logistics, warehousing, and other businesses, the specter of viruses spread from tiny tags via handheld scanners into enterprise software platforms could significantly slow the technology's spread. (See DHL Chips in on RFID.)
Today's presentation in Pisa provides details on how to spread viruses via RFID as well as how to defend against them. The paper is being published, the authors, say, to warn the designers and users of RFID not to deploy vulnerable systems.
"By making code for RFID 'malware' publicly available, we hope to convince them that the problem is serious and had better be dealt with, and fast," said author Andrew Tanenbaum and his colleagues, in a statement.
"Viruses on RFID tags present two issues," comments David Adams, senior vice president for corporate strategy and technology at Denver-based Trenstar, which manages thousands of beer kegs in the United Kingdom using RFID tags. "How to protect the flow of information on the tag itself and how to prevent any virus from making from the tag to our application level that is fed from the RFID network." (See Brewers Tap Into RFID.)
Trenstar, Adams adds, has created a proprietary data structure for information, which searches for corrupted data at each stage in the supply chain where the tags are scanned. The company also analyzes all data flowing into its application layer for known viruses, including RFID-generated data.
"Any good data collection system has to be set up so that it's very specific in what sort of data it's looking to collect," adds Dan Mullen, executive director of AIM Global, a trade association for the barcode and RFID industries. "That's just good practice, and it's been around for a long time."
The paper outlines three scenarios: a prankster who replaces an RFID tag on a jar of peanut butter with an infected tag to infect a supermarket chain's database; a subdermal (i.e., under-the-skin) RFID tag on a pet used to upload a virus into a veterinarian or ASPCA computer system; and, most alarmingly, a radio-frequency bag tag used to infect an airport baggage-handling system. A virus in an airport database could re-infect other bags as they are scanned, which in turn could spread the virus to hub airports as the traveler changes planes.
"Within a day, hundreds of airport databases all over the world could be infected," the authors write. "Merely infecting other tags is the most benign case. An RFID virus could also carry a payload that did other damage to the database -- for example, helping drug smugglers or terrorists hide their baggage from airline and government officials."
The broadness of the authors' claims, however, betrays a lack of understanding of how specific RFID systems are designed, says Mullen.
"If you're looking at an airport baggage system, for instance, you have to know what sort of tag's being used, the structure of the data being collected, and what the scanners are set up to gather," he explains. "Look at it in a vertical application fashion to see what specific concerns might be present there."
A renowned computer scientist, Tanenbaum developed the Minix operating system, a precursor to Linux.
— Richard Martin, Senior Editor, Unstrung