RFID Tag 'Virus' Nonsense
Computerworld is running a article about how some researchers are warning of the perils of RFID viruses. In a word, bullshit. An RFID tag is simply a data source and, typically, very little data at that. If you have a poorly written application that does not do the appropriate data validations you can create a problem for yourself regardless of the source of the data.
This is worth repeating: the issues identified in the article included SQL Injection, buffer overflow(!) and other classic examples of exploits that can be applied to any poorly written application. The fact that an RFID tag was the data source does not make it a specific RFID issue -- it's just data.
So if someone creates a 'virus' and puts it on an RFID tag, great. You can write a virus and embed it in a JPEG image or mp3 file. However, unless you have an application that specifically looks for the virus payload and provides an execution environment there is absolutely no way that it can do any harm to your computer system unless it can actually execute the virus code.
One last point about data security. Hopefully, the industry has learned (via rampant indentity theft) that putting personally indentifying information in an RFID tag is a very, very stupid thing to do (and may actually be illegal in some locations). It is likely that the RFID tag would only have some sequential number/identifier that is read and tied back to some other more meaningful definition/data elsewhere. So if a bad guy gets the RFID identifier, they still have to know about the other system, locate it, compromise it and make sense of the data relationship. Could it happen? Sure. But is it as simple as the press makes it out to be, probably not. Bonus points to the implementers smart enough to encrypt the RFID data in the first place.
Here is a rather contrived scenario from the article:
This is worth repeating: the issues identified in the article included SQL Injection, buffer overflow(!) and other classic examples of exploits that can be applied to any poorly written application. The fact that an RFID tag was the data source does not make it a specific RFID issue -- it's just data.
So if someone creates a 'virus' and puts it on an RFID tag, great. You can write a virus and embed it in a JPEG image or mp3 file. However, unless you have an application that specifically looks for the virus payload and provides an execution environment there is absolutely no way that it can do any harm to your computer system unless it can actually execute the virus code.
One last point about data security. Hopefully, the industry has learned (via rampant indentity theft) that putting personally indentifying information in an RFID tag is a very, very stupid thing to do (and may actually be illegal in some locations). It is likely that the RFID tag would only have some sequential number/identifier that is read and tied back to some other more meaningful definition/data elsewhere. So if a bad guy gets the RFID identifier, they still have to know about the other system, locate it, compromise it and make sense of the data relationship. Could it happen? Sure. But is it as simple as the press makes it out to be, probably not. Bonus points to the implementers smart enough to encrypt the RFID data in the first place.
Here is a rather contrived scenario from the article:
For example, airports are considering using RFID tags to track baggage. But Tanenbaum warned that this application could pose a large problem if an RFID tag is read and delivers a much larger set of data in return. A false tag on a piece of baggage could exploit a buffer overflow to deliver a virus to the RFID middleware. Once the virus code is on the server, it could infect the databases and corrupt subsequent tags or install back doors -- small programs that allow for the extrication of data over the Internet, Tanenbaum said.Right. Or you could have the appropriate data validations in you processing system and not worry about RFID data or data from any other source for that matter.
technorati tags: rfid, virus, hysteria, security, datavalidation
posted by rich at 5:00 PM
0 Comments:
Post a Comment
<< Home