Experts unconcerned by RFID virus

An RFID virus attack is unlikely, according to security experts

A team of Dutch researchers has shown that it is possible to install a virus onto an RFID chip, but security experts told vnunet.com today that such activities do not pose a serious threat. 

The team, which is affiliated to the computer science department at Vrije Universiteit in Amsterdam, is to present its findings at the IEEE's Pervasive Computing and Communications Conference in Italy this week. The paper (PDF download) is entitled Is Your Cat Infected With a Computer Virus?. 

The team argues that it is possible to insert a virus into the RFID tags, even though the smallest ones hold very limited amounts of data.

The team tested a virus on a Windows machine running the Oracle 10g database alongside a Philips RFID reader and used it to infect a mocked-up database system.

Greg Day, security analyst at McAfee, said: "We have a mantra here: 'As it becomes common so it becomes attacked.'" 

"We've seen viruses less than 1,000 bytes in size, so it's possible. But if you think of the reality of such an attack it's unlikely. And as a virus propagation method it's useless unless you've already cracked the RFID scanner. "

The Dutch team postulated a number of attack scenarios, including installing an infected RFID tag on a supermarket product and using it to access the supply database, or infecting the ID chip in a cat's ear and taking it to the vet to be scanned, thus infecting the vet's animal database.

"The spread of RFID malware may launch a new frontier of cat-and-mouse activity that will play out in the arena of RFID technology," concludes the paper's authors.

"RFID malware may cause other new phenomena to appear, from RFID phishing (tricking RFID reader owners into reading malicious RFID tags) to RFID war-driving (searching for vulnerable RFID readers).

"Each of these cases makes it increasingly obvious that the age of RFID innocence has been lost."

The authors acknowledged that, in order for the virus to spread, the hacker would need extensive knowledge of a flaw in a commercial RFID tag reader, but said that no large piece of software is without such flaws.

"Anything which has the potential for data storage could, in theory, store a virus's data," said Graham Cluley, senior technology consultant for Sophos.

"But that does not mean that it would ever successfully spread in the wild or manage to infect another device.

"I think the typical administrator has got more serious things to worry about right now than that the price tag on the razor blades they bought that morning might also carry a theoretical virus."