Elsa Lion
RFID: exposing databases to new security threats?
CBR Online reports that a team of three researchers presented at this week's IEE international Conference in Amsterdam a paper entitled "Is your cat infected with a computer virus?", which highlights the potential threats associated with the use of RFID tags. In particular, the paper shows how RFID tags can carry malware and propagate via databases along the supply chain. The paper's title refers to a hypothetical scenario outlined in the paper's introduction, in which a household pet implanted with an infected RFID tag is able to spread an infection to a veterinarian's computer system, with damaging consequences.According to CBR Online, the three researchers - Melanie Rieback, Bruno Crispo and Andrew Tanenbaum - found they were able to execute an SQL injection attack against an Oracle database and Apache web server using 127 characters of data stored on a cheap RFID tag. SQL injection attacks already occur via web applications, resulting sometimes in hackers being able to directly interfere with the data contained in a database. In Rieback's scenario, the virus uses SQL injection to write itself to a database whenever the infected tag is scanned. In a real-world scenario, this scan could happen when a pallet of goods arrives at a store or warehouse. New tags entering the system would have the viral code written to them.Rieback, primary author of the paper, stated that 'the security breaches that RFID deployers dread most - RFID malware, RFID worms, and RFID viruses - are right around the corner'. Comment: Rieback and her follow researchers have not found a new breed of malware already spreading in the wild. The paper describes a plausible scenario for the spread of a virus via RFID tags. However, this is perhaps the most plausible and most interesting scenario of its kind. Until now, security gurus and IT vendors have focused on threats to RFID tags themselves rather than threat that could use tags as a host. The bulk of the work done on RFID security thus focuses on preventing wiping, re-encoding and cloning at tag level. The classic example of a possible threat being 'hackers' re-encoding tags in a supermarket, which may result in revenue loss for the retailer. Few have paid attention to such threats, rightly pointing out that this was simply the high-tech equivalent of swapping sticky tags.This new paper, however, raises far more interesting questions. It suggests that RFID tags should be considered, like all other devices, as hosts for a range of malware that may be a threat to corporate systems, rather than to the object itself. Until now, RFID tags and the data they contained were considered inherently trustworthy, perhaps because tampering with tags was not easy and mostly not worthwhile, unless a hacker also had access to the relevant database. Now that researchers have proven tags can become gateways to back-end systems, vendors and users are likely to pay more attention not only to tag security but all to RFID middleware security holes. It would probably be easy to scan RFID data before it reaches the database, in the RFID middleware layer. However, this may slow down the data gathering and analysis process, which may remove or limit some of the benefits associated with the use of RFID. Companies deploy RFID to speed up process, remove errors and improve efficiency. Speed can be critical in certain environments, such as in the transport and logistic sectors. Any additional time needed to scan RFID tags could potentially remove any advantage for the user. In addition, loss of data, as highlighted in the veterinary example used in the paper could be as damaging and limit the number of potential medical and government applications of the technology going forward, even though speed and time are less crucial for those.There is of course no point in predicting a gloomy future for RFID based on a theoretical paper, but this paper certainly call for action and follow up research due to the potentially far reaching consequences of its findings.
