Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • IT Management
    • Mobile
    • Networking

    The Real RFID Security Issue

    Written by

    Eric Lundquist
    Published March 22, 2006
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      BOSTON—Are RFID systems secure? This is a good question and one that should be asked before your company jumps on the RFID bandwagon.

      The question recently acquired an added urgency when a Dutch researcher presented a paper outlining a possible security hole. The answer may lie in cats, cell phones and making sure that you treat all the data in your network as worthy of security scrutiny regardless of the source.

      In the research paper, a group of researchers from the Computer Systems Group at Vrije University in Amsterdam raised the issue of an RFID tag being used as a carrier for SQL injection attack on the underlying software identification and tracking system. The paper is available as a pdf here and its presentation set off a storm of attacks, not from virus writers but from RFID vendors and consultants downplaying the likelihood of such an attack.

      “Many of the basic assumptions in the paper overlook a number of fundamental design features necessary in automatic data collection systems and good database design,” stated AIM Global president, Dan Mullen.

      /zimages/2/28571.gifDutch researchers create RFID malware. Click here to read more.

      “In other words, the researchers built a system with a weakness and then proceeded to show how the weakness could be exploited. Not surprisingly, poor system design, whether capturing RFID tag information, bar code information or keyboard-entered data will create vulnerabilities.”

      AIM is a trade organization representing automatic identification vendors, among others. In the controversial Dutch research paper titled, “Is Your Cat Infected with a Computer Virus?” the researchers note that, “RFID systems as a whole are often treated with suspicion, but the input data received from individual RFID tags is implicitly trusted.”

      The researchers contend that the implicit trust is unfounded and, “The security breaches that RFID deployers dread most—RFID malware, RFID worms and RFID viruses—are right around the corner.”

      Viruses entering an RFID system would indeed be a massive problem. Tracking down and eradicating viruses in e-mail systems is an ongoing and costly battle for IT administrators the world over.

      But e-mail systems dealing with thousands (and even at big companies, tens of thousands) of messages a day are still small systems compared to the millions of inputs that an RFID system tracking every product in a companys inventory would generate as those products move along the supply chain.

      While the researchers are essentially saying that if you take a good RFID chip, replace it with a viruss coded chip, let the scanning take place as usual and soon you have that piece of bad code doing its dastardly deeds in your RFID system.

      The cat in the papers title refers to a hypothetical veterinarian pet identification system that gets infected and ultimately freezes and displays, “the ominous message: All your pet are belong to us.” The bad English is a take off on a phrase that appeared in the Japanese game Zero Wing and refers to a self-propagating phrase for the whole story.

      The research findings have been attacked by RFID defenders as faulty. RFID chips, while simple devices, can be locked down, encrypted and dont present any more vulnerabilities than any other system such as bar codes, goes the argument.

      According to RFID defenders, if you incorporate bit checking, parameter checking and all the other safeguards associated with good system design in this era of security concerns, your cat will be safe.

      I think the researchers were right to raise the issue and the RFID defenders were right to raise their rebuttals.

      Next Page: Assume nothing about RFID security.

      Assume Nothing About RFID


      Security”>

      So what should you do as someone considering developing or deploying RFID systems at your company?

      “Companies who use tags must not assume that the data they read from the tags was not put there by somebody else. Just like when writing Web applications, you have to assume any input from the outside world may contain malicious or corrupted data,” stated Yossi Oren, a researcher at the Weizmann Institute of Science in Israel in an e-mail exchange.

      I contacted Oren because he was the researcher who, along with Adi Shamir (a professor at the institute and one of the worlds top security authorities), sent a shock wave through the RFID community when speaking at the RSA Security conference. Shamir outlined the possibility of hacking RFID chips with a cell phone.

      While RFID chips dont have a built-in power supply, they do signal their identity to a reader using the readers power. Through the use of a directional antenna and measuring power consumption, Shamir contended a hacker could discover a password based on the RFID systems reaction to a “bad bit.” Once discovered, the password can be used to shut down the chip.

      “What are the implications for the future?,” Shamir asked the attendees at RSA. “I think the first generation [RFID chips] are very, very vulnerable to a very cheap kind of attack. While we havent implemented it, we believe the cellular telephone has all the ingredients needed to carry out such an attack.

      /zimages/2/28571.gifClick here to read about how RFIDs high cost is detering businesses.

      “It [the cell phone] has a software radio and if you can tweak it enough you can just walk around and kill all the RFID tags in the vicinity,” said Shamir.

      I asked Oren if, since that presentation, their concerns about RFID vulnerability via power consumption metering had been confirmed for newer chips (Gen 2) as well as the older ones.

      “We are currently working on applying our results to newer [Gen 2] tags. We have some in the lab right now. When we have convincing results, they will be posed on the Web site.

      The lesson for IT executives is dont assume your RFID system is secure simply because you are using hardware chips in the process. You need to apply the same security best practices to your RFID system that you would to any critical corporate information system.

      /zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Eric Lundquist
      Eric Lundquist
      Since 1996, Eric Lundquist has been Editor in Chief of eWEEK, which includes domestic, international and online editions. As eWEEK's EIC, Lundquist oversees a staff of nearly 40 editors, reporters and Labs analysts covering product, services and companies in the high-technology community. He is a frequent speaker at industry gatherings and user events and sits on numerous advisory boards. Eric writes the popular weekly column, 'Up Front,' and he is a confidant of eWEEK's Spencer F. Katt gossip columnist.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×