News Archive
Events Calendar
Library
Activities
Advisors
About
Links
Contact Us
Country Links
Africa
Asia & Pacific
Europe
Latin America
Middle East
Global Policy Tools
Brought to you as a public service of the Open Spectrum Foundation (Stichting Open Spectrum), Amsterdam - Prague
NEWS
The first RFID virus: proof-of-concept demo today
From a press release at the "RFID Viruses and Worms" website created by Melanie R. Rieback, Patrick N. D. Simpson, Bruno Crispo and Andrew S. Tanenbaum (Department of Computer Science, Vrije Universiteit, Amsterdam). The press release is also available in Dutch:
"...Researchers at the Vrije Universiteit in Amsterdam have discovered how to put a computer virus on an RFID tag, something previously thought impossible due to the tag's limited memory.
"Melanie Rieback, a Ph.D. student supervised by Andrew Tanenbaum, gave a live demonstration of an RFID virus on 15 March at the Fourth Annual IEEE Conference on Pervasive Computing and Communications (IEEE PerCom) in Pisa, Italy.
"Rieback's paper, entitled 'Is Your Cat Infected with a Computer Virus?', provides the first-ever exposition of RFID malware (viruses worms, and related digital pests). Her paper, a candidate for the Best Paper Award, explains how attackers can use RFID tags to compromise the databases used by all RFID applications (for example, the supermarket's product and price database). The attacks exploit the same software weaknesses that PC viruses and worms do and can have the same devastating consequences.
"Once a single infected RFID tag is injected into the system, the virus can spread. Here is an example scenario: starting in May 2006, the Las Vegas airport, which handles 2 million bags a month, will start using RFID tags to label baggage in an attempt to speed up baggage handling. A malicious individual could put an infected RFID tag on his suitcase (or someone else's suitcase). The bag will be scanned when approaching a Y-junction, to determine which direction it should go. However the mere act of scanning could infect the airport's baggage database, and as a result, all bags checked in after could receive infected baggage labels. As these bags move to other airports, they would be rescanned -- and within 24 hours, hundreds of airports could be infected worldwide. A smuggler or terrorist using this technique could hide baggage from airline and government officials. Or a recently-fired airline employee could get revenge on his ex-employer by routing its bags destined for Greece to Siberia.
"Fortunately, there is a number of relatively standard countermeasures that can reduce the threat of RFID viruses. Rieback's paper emphasizes that RFID developers need to conduct audits, and must not neglect to apply safe programming and good security practices. However, while countermeasures can help reduce the threat of RFID viruses, they take time, people, and money to implement. Therefore, it is essential that RFID developers and deployers check the security of their RFID systems now -- before their software achieves widespread deployment.
"More information about RFID viruses can be found on the World Wide Web at 'www.rfidvirus.org'. The IEEE PerCom paper 'Is Your Cat Infected with a Computer Virus?' is located at 'www.rfidvirus.org/papers/percom.06.pdf'. Additionally, the VU research team has conducted extensive work on RFID security and privacy protection, resulting in the RFID Guardian, a personal device for RFID privacy management. The RFID Guardian project homepage is located at: 'www.rfidguardian.org'..."
[RFID: 15 March 2006]