Experts: Don't panic over RFID viruses - yet

Proof-of-concept malware may help solve RFID security issues before they become a real problem
Written by Jo Best, Contributor

Dutch researchers have announced they have successfully created a virus capable of infecting RFID tags.

In a new study, "Is Your Cat Infected with a Computer Virus?" scientists from the Computer Systems Group at the Vrije Universiteit in Amsterdam revealed that data from RFID tags can be used to exploit back-end software systems.

The academics also went on to create a proof-of-concept virus, which uses the track and trace tags to compromise middleware systems using a SQL injection attack.

"RFID malware is a Pandora's Box that has been gathering dust in the corner of our 'smart' warehouses and homes," the paper said. "While the idea of RFID viruses has surely crossed people's minds, the desire to see RFID technology succeed has suppressed any serious consideration of the concept. Furthermore, RFID exploits have not yet appeared in the wild. So people conveniently figure that the power constraints faced by RFID tags make RFID installations invulnerable to such attacks."

Adam Jura, analyst for manufacturing technology at Datamonitor, said the news of the virus could yet have a positive effect by helping to focus both vendors and users' minds on the security issues around the track and trace technology.

"At the moment, RFID isn't mainstream — we're still in the early adopter phase, so a virus would have very little impact," he said. "The best impact [the research] could have would be to get people to look at the security implications around RFID."

Security companies have also been quick to advise users that the potential threat from RFID viruses is minimal and any potential virus will have a hard time making it into the wild.

Graham Cluley, senior technology consultant for antivirus company Sophos, said the virus created by the Dutch researchers could only propagate in the specific environment the academics had created and that no known vulnerability currently exists in the wild.

He said: "Of course, any device that can store data can store virus code as well. But that does not mean that the virus would be able to spread or be in any way effective."

The researchers themselves state that there are problems with the virus, including the fact that it will be easily spotted by a database administrator. However, the paper hopes to prompt the RFID industry to take greater care of security in the future. It states: "Developers of the wide variety of RFID-enhanced systems will need to 'armour' their systems, to limit the damage that is caused once hackers start experimenting with RFID exploits, RFID worms and RFID viruses on a larger scale."

The controversial research has also found supporters. Katherine Albrecht of privacy group Caspian said she hoped the virus would help encourage big companies and governments to slow down their RFID rollouts.

Editorial standards