University researchers in Amsterdam have discovered a way to plant a virus on radio frequency identification (RFID) tags, potentially infecting enterprise back-end software systems and spreading from one RFID tag to another.
In a research document entitled, Is Your Cat Infected with a Computer Virus?, computer researchers from Vrije Universiteit (VU) Amsterdam presented proof of concept for a self-replicating RFID virus using structured query language (SQL) injection, attacking RFID middleware systems.
As an application scenario, the researchers used a typical supermarket distribution centre that employed a warehouse automation system with reusable RFID-tagged containers.
This hypothetical operational process involved a pallet of containers with products passing by an RFID reader upon arrival at the distribution centre. The reader identified and displayed the products’ serial numbers, and sent the information to the corporate database. The containers were then emptied and refilled with another product.
The RFID reader then updated the container’s RFID tag data to reflect the new shipment, which was then sent off to a local supermarket branch.
Using SQL injection — a type of exploit wherein an attacker adds SQL code to a Web form input box to get access to resources or make changes to data — the researchers were able to infect the RFID tag for one container. Once the tag went through the RFID reader, the SQL injection was inadvertently executed by the back-end database, the researchers wrote.
The virus was then spread as new containers were loaded and unloaded in the distribution centre and the infected warehouse management system read and wrote data on RFID tags, according to the research document. In the hypothetical example, the infected RFID tags then became virus carriers infecting other middleware systems they came in contact with through the whole supply chain process.
“RFID as a whole [is] often treated with suspicion, but the input data received from individual RFID tags is implicitly trusted,” the researchers stated. “No one expects an RFID tag to send an SQL injection attack or a buffer overflow.”
The researchers recommended steps to protect against RFID exploits including: bounds checking, which is usually performed by the code compiler to detect whether an index lies within the limits of an array; disabling back-end scripting languages; limiting database permission and segregating users; using parameter binding, which makes SQL attacks more difficult; isolating the RFID middleware server from other corporate servers; and code review, which allows developers to search and remove exploitable bugs from the source code.
One Canadian RFID expert believes that while it’s theoretically possible, RFID exploits are “highly unlikely” as they require an attacker to “readily defeat encryption of the RFID tags.”
“If you defeat encryption of any system, exploits are easy, so RFID is no different,” said Srdjan Milutinovic, vice-president for systems development at cStar Technologies Inc., a Toronto-based wireless technology research and development company.
Milutinovic noted that attackers typically “choose the easiest way” of attack, which does not require special hardware devices and hardware systems, and most of all, one which does not involve proximity.
But he added that, “It is certainly a valuable exercise to point out the necessity of having security in mind whenever a solution is designed and/or deployed and emphasize the importance of continuous upgrade of the encryption standards in order to be ahead of the game.”
Quick Link 061354