Monday, March 20, 2006

RFID virus threat overblown?

RFID Update questions the news value of the coverage last week of a virus threat to RFID systems. But we all know the media thrives on FUD (fear, uncertainty, and doubt), so perhaps we shouldn't be surprised at all the attention this story received.

RFID Update concludes:
[T]he scenarios presented by the [RFID virus] researchers were widely considered so contrived as to be unfeasible. A key premise of the researchers' assertions is that the bits and bytes stored on RFID tags would be interpreted by readers as executable instructions. The reality is that tag contents are never interpreted as executable code; they are interpreted only as simple raw data, like numbers. For an RFID system to interpret tag data otherwise would require a poor, insecure design that breaks the most basic and obvious rules of system engineering.

Which raises another point. The potential vulnerability is in the system design; there is nothing inherent to RFID tag technology that makes it vulnerable. As Julie England, Texas Instruments' general manager of RFID, said, "This is the kind of issue the software industry has seen for years." She continued, "Pointing out that poorly written backend software could weaken the RFID application as a whole ... is stating the obvious." As this recommended explanation by Ben Giddings, an engineer at RFID reader manufacturer ThingMagic reads, "RFID tags, just like barcodes, are just data. Nothing more than data. If you intentionally design a system to be vulnerable to certain data, then intentionally expose the system to that data, then yup, you'll have a problem." |RFID Update|(emphasis added)

I'm certainly concerned about whether the RFID data is encrypted for sensitive applications like passports...and viruses could be a concern. Whoever thought a cell phone could catch a virus, after all? But this article raises several good points.


Jason said...

Nice how they are moving the goal posts. I mean, I agree with everything in this article, but it ignores the fact that their previous defense of RFID was that they were incapable of carrying a virus. That is now proved false. So, they fall back to the position that the data isn't interpreted as executable code. Well.

Never bet against the hackers. They grow new, smarter ones every day.

Safety Neal said...

One point that isn't addressed by the post that I wondered about is they type of RFID tags. Some tags are read-only (or dumb tags) and others are programmable. Obviously the programmable ones could be hijacked.

But the dumb tags could only be hijacked if someone had their own factory to produce mock-up RFID chips, which is possible...but a lot of expense. It would only seem justified for stealing really expensive items. Which people might do to upscale boutiques and such...

Anyway, I agree with you that security is never perfect. That's why I posted a picture of the state of the art in defense from the 16th century on my post...maybe that was too obtuse.

Security is a process, not a destination.