I knew it was only a matter of time until this was "discovered".......RFID is a bad technologyto rely on for identity, but that's exactly what the US Government isdoing with all new passports (which all have RFID tags in them).
[hr style="width: 100%; height: 2px;"]Study Says RFID Chips in ID Tags Are Vulnerable to Viruses
A group of European computer researchers have demonstrated that it is possible to insert a software virus into radio frequency identification tags, part of a microchip-based tracking technology in growing use in commercial and security applications.
Radio frequency identity tags are growing in popularity because they are easily scanned.
Ina paper to be presented today at an academic computing conference inPisa, Italy, the researchers plan to demonstrate how it is possible toinfect a tiny portion of memory in the chip, which can hold as littleas 128 characters of information.
Until now, most computersecurity experts have discounted the possibility of using such tags,known as RFID chips, to spread a computer virus because of the tinyamount of memory on the chips.
The tracking systems are intendedto improve the accuracy and lower the cost of tracking goods in supplychains, warehouses and stores. Radio tags store far more data about aproduct than bar codes and can be read more quickly. They have evenbeen injected into pets and livestock for identification.
Thechips have already prompted debate over privacy and surveillance, giventheir tracking ability. Now the researchers have added a series ofworrisome prospects, including the ability of terrorists and smugglersto evade airport luggage scanning systems that will use RFID tags inthe future.
In the researchers' paper, "Is Your Cat InfectedWith a Computer Virus?," the group, affiliated with the computerscience department at Vrije Universiteit in Amsterdam, also describeshow the vulnerability could be used to undermine a variety of trackingsystems.
The researchers said they realized that there are risksassociated with publishing security vulnerabilities in computerizedsystems. To head off some of the possible attacks they described, theyhave also published a set of steps to help protect RFID chips from suchattacks.
The group, led by Andrew S. Tanenbaum, an Americancomputer scientist, will make the presentation at the annual PervasiveComputing and Communications Conference sponsored by the Institute ofElectrical and Electronic Engineers. Mr. Tanenbaum is the author of theMinix operating system, an experimental project that became the heartof the Linux open-source operating system.
The researchersasserted that the RFID demonstration had not used the commercialsoftware that collects and organizes information from RFID readers.Rather, it used software that they designed to replicate those systems.
"Wehave not found specific flaws" in the commercial RFID software, Mr.Tanenbaum said, but "experience shows that software written by largecompanies has errors in it."
The researchers have posted their paper and related materials on security issues related to RFID systems at [a href="http://www.rfidvirus.org/"]www.rfidvirus.org[/a].
The researchers acknowledged that inside information would be required in many cases to plant a hostile program. Butthey asserted that the commercial software developed for RFIDapplications had the same potential vulnerabilities that have beenexploited by viruses and other malicious software, or malware, in therest of the computer industry.
One such standard industryproblem is a software coding error referred to as a buffer overflow.Such errors occur when programmers set aside memory to receive datatemporarily, but fail to require a check on the size of the value thatis moved to the allocated space. A larger-than-expected value can causethe program to break and trick the computer operating system intoexecuting a malicious program. "You should check all of your input allof the time, but experience shows this isn't the case," Mr. Tanenbaumsaid.
Independent computer security specialists also said RFID systems were potential problem areas.
"Itshouldn't surprise you that a system that is designed to bemanufactured as cheaply as possible is designed with no securityconstraints whatsoever," said Peter Neumann, a computer scientist atSRI International, a research firm in Menlo Park, Calif.
Mr.Neumann is the co-author of an article to be published in the May issueof the Communications of the Association for Computing Machinery on therisks of RFID systems. He said existing RFID systems were a computersecurity disaster waiting to happen.
He cited inadequateidentification for users, the potential for counterfeiting or disablingtags, and the problem of weak encryption in a passport-tracking systembeing developed in the United States. But he said he had not previouslyconsidered the possibility of viruses and other malicious softwareprograms.
An industry executive acknowledged that the companies that make computerized tracking systems faced potential security problems.
"Weare very actively looking at the different way the technology is used,"said the executive, Daniel P. Mullen, president of the Association forAutomatic Identification and Mobility, an industry trade group. "It'san ongoing dialogue about protecting information on the tag and in thedatabase."
The association has a working group of experts assessing both security and privacy challenges, he said.
Thereare many types of RFID tag, and some of the sophisticated versionsinclude security features like encryption of the identifying numbercarried by the chip.
But the Dutch research group warned that ina variety of situations it is possible for attackers to alter theinformation in an RFID tag to subvert its purpose.
"RFID malwareis a Pandora's box that has been gathering dust in the corners of our'smart' warehouses and homes," they write in their paper.
In oneexample they offered, a virus from an infected tag on luggage passingthrough an airport could be picked up when it is scanned by theluggage-handling control systems and then spread to tags attached toother pieces of luggage.
Such an attack, they suggest, mightspread luggage contamination to other airports. It might also be usedby a smuggler to cause a piece of luggage to avoid security systems.
Theyalso described situations of counterfeit RFID tags possibly being beused to subvert pricing and other aspects of commercial sales systems,or a virus could be inserted into RFID tags used to identify pets.
