Three academic computer geeks recently caused an outbreak of panic amongst the business press by announcing that they had created the world's first computer virus hosted on an RFID tag.
They described their tag-borne Frankenstein in a scholarly paper, published last month, with the decidedly non-scholarly title, "Is Your Cat Infected with a Computer Virus?" The initial press reaction to the event was to declare that the situation is very serious, or perhaps not serious; that RFID is dead, or perhaps not quite dead; and in any case the world would soon fall to armies of hackers. Or not. Since I am semi-fluent in geek-speak, let's take a look at the paper's main points and place them in the context of current-day project implementation.
A Layman's Guide To Computer Viruses
The lead author, Melanie Rieback, presented her paper on March 15 at the IEEE conference on pervasive computing in Pisa, Italy. Her thesis was that powerful viruses can fit on the small memory space of a Gen 1 or Gen 2 RFID tag. To test the theory, her team created favorable conditions for the viruses in a laboratory mock-up of an RFID reader and database. Her team succeeded quite well in demonstrating the possibility of creating very small viruses that could reside on a standard retail RFID tag. These viruses could also fit on the transdermal tags used in veterinary applications, which explains the unusual title of her paper.
The team surveyed the common types of computer viruses that are present on the Internet. They realized that current and planned RFID technology uses the same technology standards that power the Internet. For example, EPC Global has specified the common Internet standards of DNS (Domain Name System), URI (Uniform Resource Identifiers), and XML (Extensible Markup Language) for use in Gen 2 RFID systems. Therefore, in theory, RFID software should be vulnerable to the same computer virus techniques as the Internet.
The researchers looked at two types of computer virus attacks. The first type of attack is called a buffer over-run. In layman's terms, this is the computer data equivalent of stuffing 20 pounds of potatoes into a 10-pound sack. A hacker can create a virus by carefully constructing a data stream that is larger than the software program expects to read. The other type of attack is called an SQL injection. This attack relies on the standard programming language of databases -- Structured Query Language -- to sneak malicious code through a poorly designed database front-end program. The RFID middleware software in current use is one such example of a database front-end program.
Come Up To The Lab And See What's On The Slab
It is one thing to theorize that such computer viruses are possible in an RFID system. It is another thing to demonstrate a virus in action. Rieback created a sample RFID system in her lab with fellow researcher Bruno Crispo and thesis adviser Professor Andrew Tanenbaum. The sample system included a standard tag reader, an Oracle database, and a reader interface program created by the researchers themselves. They used this system to successfully create the world's first computer virus on an RFID tag.
The key to their success was the interface program that they wrote. This software, which was meant to mimic generic RFID middleware, was written in a widely used computer language that has known security vulnerabilities. The program was deliberately made very simple and lacking in common security safeguards. These circumstances made it an open target for computer virus attack. The researchers arranged for ideal circumstances to assure maximum success of the computer virus attack. In a real world system, things would not be so simple.
Although their RFID test system is similar in overall design (system architecture) to commercial RFID systems, the actual software varies considerably from standard commercial practice. Commercial middleware and databases contain built-in security practices to guard against the exploits described above. Rieback, Crispo, and Tanenbaum do not, in fact, argue that real-world RFID virus attacks are likely to be common. Their scenario would rely on aggressively stupid implementations of commercial software -- an occurrence that is thankfully rare.
Authors Rieback, Crispo and Tanenbaum have shown considerable ingenuity and a flair for publicity. They have performed a valuable service in demonstrating that commercial RFID software vendors need to take industry-standard steps to guard against malicious data encoded on RFID tags. They have not claimed that the sky is falling, but unfortunately that is the impression left by many articles on the subject. The virus technology described in their paper is a weak example suitable solely for their lab. They conclude their paper by issuing a challenge to RFID software providers to submit their security schemes to independent testing -- a good idea for any large commercial software product.
The publicity surrounding this RFID virus research is no reason to delay any planned RFID implementations. The practical lesson to learn from the research is to ask the right questions of RFID integrators and software service providers. If you are currently planning an RFID technology project for your facility, simply include your current IT experts in the technology selection process. This will go a long way towards safeguarding you from any potential problems with RFID.
Paul Faber is a principal with Raleigh, N.C.-based Tompkins Associates, a supply-chain-solutions consulting firm. As the chief manager of RFID equipment implementation at Tompkins Emerging Technology Center, Paul possesses extensive experience in material handling solutions, systems integration, and installation. He has managed field integration and operations activities at material handling sites around the world.
Interested in information related to this topic? Subscribe to our weekly RFID eNewsletter.