McAfee Reports RFID Vulnerabilites; RFID Apologists Sticks Head in Sand
McAfee's Avert Labs has just issued its semiannual security report and one of the topics discussed in a "future of cybercrime" article is the privacy threat from radio frequency ID (RFID) devices (McAfee sponsors this community). It concludes that:
Current RFID technology is vulnerable to eavesdropping, recording, cloning, and forgery. RFID readers could contain vulnerabilities that would allow RFID chips to contain exploits to steal information from backend databases.
This isn't the first time researchers have warned about the vulnerabilities, or at least, potential vulnerabilities in RFID. Melanie Rieback and colleagues have published a paper on RFID Viruses and Worms. They point out:
Up until now, everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software, and certainly not in a malicious way. Unfortunately, they are wrong. In our research, we have discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be (intentionally) infected with a virus and this virus can infect the backend database used by the RFID software. From there it can be easily spread to other RFID tags.
These reports of RFID vulnerabilities are not welcome by the RFID industry. One industry Web site argues against McAfee's claims in RFID Journal - McAfee Report Hypes RFID Threat -
To date, I haven't seen a single shred of evidence, anywhere, that would substantiate these claims, and I truly doubt it is even possible. No, I'm not a software expert, but tags store flat data, not executable programs, so it's hard to see how you could use tags to penetrate systems containing RFID data. And even if someone were able to exploit a reader's vulnerabilities, most readers can be upgraded remotely so the loophole would be closed. (Yes, another might be found, and we'd have the kind of ongoing battle we have with PCs.)
There are a number of flaws in this argument. The writer admits that he is not a software expert so we can understand not knowing how data can also act as a program, like in the case of buffer overflows, or that any second year computer science major can write programs in assembler or Lisp that treat data as programs and programs as data. However, the response from the trade journal doesn't indicate any awareness of Rieback's paper on RFID viruses and worms or even of the difficulties with patch management. If correcting a vulnerability were as easy as the article seems to assume we'd have a lot fewer attacks. Any one remember SQL Slammer? The patch for that one was out for months before the worm clogged large segments of the Internet.
Pervasive technologies, like RFID and smartphones, are vulnerable to exploits like any other complex system. Let's not get so worked up about protecting market turf that we stick our head in the sand and pretend that RFID is some how an exception to the rules and impenetrable to attack.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
