The question recently acquired an added urgency when a Dutch researcher presented a paper outlining a possible security hole. The answer may lie in cats, cell phones and making sure that you treat all the data in your network as worthy of security scrutiny regardless of the source.
In the research paper, a group of researchers from the Computer Systems Group at Vrije University in Amsterdam raised the issue of an RFID tag being used as a carrier for SQL injection attack on the underlying software identification and tracking system. The paper is available as a pdf here and its presentation set off a storm of attacks, not from virus writers but from RFID vendors and consultants downplaying the likelihood of such an attack.
"Many of the basic assumptions in the paper overlook a number of fundamental design features necessary in automatic data collection systems and good database design," stated AIM Global president, Dan Mullen.
"In other words, the researchers built a system with a weakness and then proceeded to show how the weakness could be exploited. Not surprisingly, poor system design, whether capturing RFID tag information, bar code information or keyboard-entered data will create vulnerabilities."
AIM is a trade organization representing automatic identification vendors, among others. In the controversial Dutch research paper titled, "Is Your Cat Infected with a Computer Virus?" the researchers note that, "RFID systems as a whole are often treated with suspicion, but the input data received from individual RFID tags is implicitly trusted."
The researchers contend that the implicit trust is unfounded and, "The security breaches that RFID deployers dread most—RFID malware, RFID worms and RFID viruses—are right around the corner."
Viruses entering an RFID system would indeed be a massive problem. Tracking down and eradicating viruses in e-mail systems is an ongoing and costly battle for IT administrators the world over.
But e-mail systems dealing with thousands (and even at big companies, tens of thousands) of messages a day are still small systems compared to the millions of inputs that an RFID system tracking every product in a companys inventory would generate as those products move along the supply chain.
While the researchers are essentially saying that if you take a good RFID chip, replace it with a viruss coded chip, let the scanning take place as usual and soon you have that piece of bad code doing its dastardly deeds in your RFID system.
The cat in the papers title refers to a hypothetical veterinarian pet identification system that gets infected and ultimately freezes and displays, "the ominous message: All your pet are belong to us." The bad English is a take off on a phrase that appeared in the Japanese game Zero Wing and refers to a self-propagating phrase for the whole story.
The research findings have been attacked by RFID defenders as faulty. RFID chips, while simple devices, can be locked down, encrypted and dont present any more vulnerabilities than any other system such as bar codes, goes the argument.
According to RFID defenders, if you incorporate bit checking, parameter checking and all the other safeguards associated with good system design in this era of security concerns, your cat will be safe.
I think the researchers were right to raise the issue and the RFID defenders were right to raise their rebuttals.