Thursday, March 16, 2006

a little clarity on the RFID virus issue

you may have read recently about the newly discovered possibility of using RFID tags as a vector for viruses and worms... there seems to be some confusion about this and to be honest that's not unexpected when even the researchers who came up with this are unclear on the matter of viruses and worms (they use the old erroneous distinction between worms and viruses where worms don't require interaction from the user even though neither their worms nor their viruses require interaction)...

first off, the RFID tags are a storage medium (not unlike a floppy disk or USB flash drive) with a very small capacity (1024 bits or 128 bytes)... they don't get infected, per se, they just hold the code and nothing more...

second, the data stored on the RFID tag can be malformed in such a way as to exploit a vulnerability in the system that reads and stores the data, such as an SQL injection attack that executes a self-replicating query...

third, although the main example given in the source material doesn't infect any host programs it's not inconceivable that an actual infector could be written (for example an SQL query that infects stored procedures)...

fourth, this isn't a concern for regular folks, only for warehouses and shipping centers and other similar places that would be actively using RFID tags and entering their data into some sort of system... the 'virus' can't magically jump out of the RFID tag and infect your computer, nor can it hop from one RFID tag to another (although once the 'virus' copies itself over other tag data in the database it may get written back to other RFID tags by the system)...

this really isn't as technologically ground breaking as it might first seem... viruses and worms exploit vulnerabilities in order to self-replicate on a frequent enough basis - the only addition here is using RFID tags as a storage and distribution medium...

0 comments: