Viruses leap to smart radio tags
By Mark Ward
Technology Correspondent, BBC News website
The smart tags are being used to streamline supply chains
Computer viruses could be about to take a giant leap and start
spreading via smart barcodes, warn experts.
Security researchers have infected a Radio Frequency ID tag with a
computer virus to show how the technology is vulnerable to malicious
hackers.
The researchers warn that RFID tags could help mount many different
types of attacks on computer systems.
Makers of radio tag systems were urged by the group to introduce
safeguards to guard against RFID-borne bugs.
Cat attack
"This is intended as a wake-up call," said Andrew Tanenbaum, one of
the researchers in the computer science department at Amsterdam's
Free University that did the work revealing the weaknesses on smart
tags.
"We ask the RFID industry to design systems that are secure," he
said.
RFID tags are essentially smart barcodes that replace the familiar
lines with a small amount of computer memory, a tiny processing unit
and a radio. Information is downloaded into the tag and read off it
via radio.
Many large companies are keen to use the RFID tags because they will
help keep track of the goods they are shipping from warehouses out to
stores or regional offices. Currently RFID tags are relatively
expensive so most are used to log what is in boxes of goods rather
than to label individual items.
However, many expect the smart tags to become ubiquitous as the price
of making the devices falls.
In their research paper Mr Tanenbaum and his colleagues Melanie
Rieback and Bruno Crispo detail how to use RFID tags to spread
viruses and subvert corporate databases.
"Everyone working on RFID technology has tacitly assumed that the
mere act of scanning an RFID tag cannot modify back-end software and
certainly not in a malicious way. Unfortunately, they are wrong,"
wrote the trio in their research paper.
The researchers showed how to get round the limited computational
abilities of the smart tags to use them as an attack vector and
corrupt databases holding information about what a company has in
storage. To test out the theory the group created a virus for a smart
tag that used only 127 characters, uploaded it and watched it in
action.
Mikko Hypponen, chief research officer at anti-virus firm F-Secure,
said: "RFIDs with embedded computers are suspectible to basically all
the same threats any other computers are. Unfortunately."
If viruses do appear in smart tags, said the researchers, they are
likely to cause problems for companies that read data off the tags.
They speculated that consumer activist groups could use smart tags
viruses to cause havoc at stores they are targeting.
In some cases, said the researchers, viruses could be spread by
household pets such as cats and dogs that are injected with the tags
to help identify their owner.
The researchers urged companies working on RFID systems to start
thinking seriously about security measures to protect against future
threats.
search: