July 19, 2006

Can RFID transmit virus and worms ?

RFID tags may become commonplace in the future, but not a lot of people are looking forward to widespread implementation. There was already concern that these "smart barcodes" would allow consumers' habits to be more easily tracked, and that the technology could facilitate identity theft. It turns out that RFID tags can transmit computer viruses, as well.

Melanie R. Rieback, Patrick N. D. Simpson, Bruno Crispo, and Andrew S. Tanenbaum have published a paper called "RFID Viruses and Worms." In it, they reveal some disturbing information. "Up until now, everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software, and certainly not in a malicious way. Unfortunately, they are wrong.

"In our research, we have discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be (intentionally) infected with a virus and this virus can infect the backend database used by the RFID software. From there it can be easily spread to other RFID tags." The paper goes over three possible scenarios in which this could be exploited in a harmful fashion.

It also details how to create such worms and viruses. This isn't quite as bad as it sounds, the group explains. "When talking to people in charge of RFID systems, they often dismiss security concerns as academic, unrealistic, and unworthy of spending any money on countering, as these threats are merely ?theoretical.' By making code for RFID ?malware' publicly available, we hope to convince them that the problem is serious and had better be dealt with, and fast."

Let's hope this full disclosure works to the public's advantage.