Wednesday, March 15, 2006

Virus Vulnerability for RFID (Radio Frequency ID tags)?

The breeding ground for the computer virus will be expanding continually and rapidly over the next decade as appliances, automobiles, and all manner of other things become equipped with wireless networking and miniature computers. Cell phone and similar networks may enable worms to leap between devices over long distances and other networks over short distances. Researchers have recently demonstrated that RFID tags may be vulnerable next. Articles on the topic: RFID worm created in the lab [NewScientist.com] Viruses leap to smart radio tags [BBC.co.uk] RFID tags could carry computer viruses [SecurityFocus.com] The details for the curious: RFID Viruses and Worms The AntiVirus paradigm that we [the IT community and industry] have foisted upon PC users is already breaking down under the strain of too many virus variants and too many non-technical PC users. The paradigm probably won't work at all for cell phones and the paradigm is completely broken for the typical RFID device which typically lack an end user administration interface of any kind. The AntiVirus paradigm was invented for Enterprise users who were expected to be paid to devote time to protecting a valuable asset, and technical hobbyist users who loved tweaking their PC. It's not designed for users who want to use their PC as a simple household tool, like a television or a refrigerator. The stuff people want to do with RFID technologies is truly amazing. It starts with automating inventory in retail stores, but goes all the way down to things like "washable RFID tags equipped with sensors on all my clothes will allow me to check to see if my favorite suit is at the cleaners, at home in the laundry bag, or at home ready to wear" and "RFID tags will enable my home pantry to let me check from work to see if I have all the ingredients needed to bake a birthday cake, or if I need to stop at the store on my way home". If this stuff is going to work, we will need to be careful that we don't turn the average home into the administrative nightmare that is the average enterprise network. RFID would flop because consumers can't afford to hire an IT staff to maintain IDS and AntiVirus systems for their pantry, wardrobe, stereo, library and toolshed.

Technorati Tags: , , , , , ,

6 comments:

kurt wismer said...

RFID tags are not vulnerable, they're just a storage medium, it's systems that read and use the tag data that may be vulnerable...

Gary W. Longsine said...

Hi Kurt,

In the strictest sense you may be right -- but in the same sense one could say that "it isn't your PC hard disk that is vulnerable to virii, it is the PC itself" or "it isn't your PDA that is vulnerable to a virus, it is the operating system that runs on it".

The researchers point out that some RFID systems are intended to be part of tiny computers (in proximity advertising schemes and whatnot).

In any case, by demonstrating and thoroughly documenting RFID related attacks now, they are definitely doing the world a big favor and calling attention to this issue in the relatively early phases of RFID.

Many people in IT fields thought cell phones were immune long after they had all been equipped with sufficiently interesting processors, memory, storage and networking. Although we are lucky enough to see a relatively low incidence of cell phone based attacks, the number is now non-zero. It's probably only a matter of time before a large scale threat emerges on a cell network. The payoff for the organized crime behind such efforts would be pretty large. People increasingly store not only contact information, but user names and passwords and other sensitive data on PDA devices, including some hybrid cell phone PDA systems.

If you're interested or work with RFID, you'll definitely want to follow the links above. It's interesting stuff.

Thanks for your comment!

/gary

kurt wismer said...

well, let me put it another way... as a storage medium, saying RFID tags are vulnerable to viruses is like saying USB flash drives are vulnerable to viruses...

as to doing the world a favour, there are 2 possible responses - either they shouldn't have published the actual self-replicating malware (that's not responsible virus handling) or folks are right and the researchers constructed an artificially vulnerable system in which case publishing their malware is a non-issue but the threat they were trying to demonstrate was overstated...

Gary W. Longsine said...

Hi Kurt,

Your assumptions are artificially narrow. Unlike the contemporary USB key-fob, there are plans for RFID devices which are essentially automatically registering mesh networks where the network includes computation transmission and storage components. You seem to be thinking only of the tag itself. Sufficiently pedantic definitions can certainly reduce the scope of discussion of any arbitrary vulnerability to "not a problem" but in fact, the industry has been wrong when discounting security threats before.

Step outside of the AntiVirus paradigm and think about general security problems for a moment. It isn't the door to your house that you seek to protect, it's the contents within. However, if the door is hanging open, those contents are vulnerable to walking off with modest assistance. Now, under normal circumstances people expect your door to be locked, and probably don't have time to check all the doors to see if they are unlocked on any given day. That's kinda like a USB key-fob. Limited access and limited opportunity to scale up an attack, due to the limits of the fob concept.

However, if there were also automatic billboards all over town telling people when you left your door unlocked by accident, the nature of the risk to leaving your door unlocked would be substantially increased. This is more analogous to the RFID plans, where some RFID devices will be computers, others will be automatically registering data storage nodes equipped with networking.

The researchers in question seem to present a reasonable case, outlining the potential for automated attacks under some RFID use cases. Their tone doesn't appear to be anywhere near as alarmist as we typically see coming from the AntiVirus industry, for example the flurry of "Macintosh worm" stories only a few weeks ago.

As for "responsible virus handling," it's pretty clear that the community of independent and academic security researchers tend to agree that open publication of detailed technical information on vulnerabilities is reasonable. Important vulnerability assessment tools require such sharing in order to be useful.

In cases like this one, where the vulnerability isn't a single "hole", but rather emergent from what will tend to be the natural actions of probably thousands of companies building systems based on RFID technologies, sharing detailed information and sample exploit code like this is likely to be more helpful than harmful.

Their discussion of the RFID-equipped baggage handling system paints a reasonable picture of the issue they are bringing to fore. It's definitely not like a USB key-fob as we think of them today -- it's more like many hundreds of millions more USB key-fobs, each with built in wireless networking, automatic registration to thousands of central processing nodes, and valuable outcomes like airline safety at stake.

I'm sure people are tired of the seemingly endless hype coming from the AntiVirus world, but let's not get too hasty and throw the baby out with the bath-water here. These folks have raised issues worthy of consideration.

kurt wismer said...

i didn't mean to imply that what the researchers were talking about wasn't a problem...

what they've identified is that an input validation bug in RFID reader systems could allow arbitrary code execution (they had me at "; shutdown")...

the use of 'viruses' (and i use the term in the formal sense since cohen's formal turing machine based definition is the only accepted one that their example qualifies under) to demonstrate that vulnerability was arbitrary (one could use practically anything to demonstrate an arbitrary code execution vulnerability) and seemed to be more about drawing lots of attention than about anything technical about RFID or viruses...

and with respect, full disclosure as it applies to conventional vulnerabilities is not comparable to full disclosure in the virus field... while conventional vulnerabilities represent mistakes that can be fixed and learned from, virus susceptibility is inherent in all general purpose computing systems and cannot be corrected under those conditions... while the benefits of full disclosure of vulnerabilities (creating pressure to fix the problem and teaching the public about the problem in order to help avoid it in the future) outweighs the risk, those benefits are absent in the virus field while the risks are greater (as viruses have a habit of living on all by themselves long after anyone who might be trying to use them have stopped)...

putraIT said...

hi

after reading some, the rfid 'virus' is actually simply a 'sql injection' -as what they call it in web application attack. It is all about lack of validation (over trusting the input).

However the term rfid VIRUS makes it like a really serious attack to rfid technology.

dont scare ordinary people by complicated the term. yes they may call it as pc virus instead of hard disk virus or buffer overflow but pc virus is too different than what you call rfid virus.