Dept. of Alarmist Dorks

Some attention-grubbing nutbirds in Europe are whining about RFID virii, saying things like:

“Everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software and certainly not in a malicious way. Unfortunately, they are wrong,” wrote the trio in their research paper.

How many times can you be wrong in ONE sentence?

  1. In fact, simple scans CANNOT modify back-end systems. There’s no way. So-called “SmartLabels” are just data storage devices that respond to radio fields. When a reader hits the tag, the tag echoes back its data. The DoD- and Wal-Mart-mandated tags hold only 96 bits, so we’re not talking about much data, either. By the time a tag read reaches any back-end code, it’s just data.

  2. That said, like any input, RFID input must be validated and examined to prevent overflow attacks, injections, etc. Scanning an RFID tag and naively assuming it’s a safe data source could create trouble — but that’s true of any input. In this regard, RFID is no different than a form on a web page. In many poorly-designed systems, it’s possible to do damage by putting in malicious code in web forms — that’s almost certainly how the old Heathen site got hacked, for example, via a flaw in WordPress. No developer worth a damn will ever assume his inputs are safe, at least in systems like web tools and (yes) RFID. Whole libraries of code exist to isolate data and ensure information gleaned from inputs doesn’t contain exploits. It’s a known problem, and one that all competent people know how to avoid.

That’s why this is a total non-issue. It’s especially stupid that people are saying “virus” here; a virus is actual malicious computer code that knows how to replicate and infect. Here, they’re talking about a system vulnerability and carefully tailored data injection attacks. It’s a security problem (if you’ve hired idiots for your RFID development), but not one that has much at all to do with viruses. You may as well speak of “bar code viruses,” since that makes just as much sense.

In a nutshell, what these fools are whining about — and, apparently, spending a lot of time and money demonstrating — is that under carefully created circumstances, it’s possible for information from a system input (in this case, RFID) to carry a damaging payload if the system assumes the data is known-safe. Way to go! We eagerly anticipate their next study, which probably covers such earthshaking assertions as “you should not give your online banking information to the nice people in Nigera.”

(This isn’t to say there aren’t areas of legitimate concern in the RFID world; just that this story isn’t one of them.)

Comments are closed.