What is Digg?64 Comments
- jknight, on 10/12/2007, -2/+28Another link: http://www.rfidvirus.org/index.html
- JamesGlover, on 10/12/2007, -0/+12The privacy problems with RFID are not inherant in the nature of RFID, but rather in the way the technology is implemented. (As with any technology) The complete loss of the technology would be a shame, both for the consumour and industry. (eg. The oft quoted 'you have a red shirt in with your whites example, or instant checkouts which scan your entire basket in one go.) And many of the criticisms leveled at RFID could be applied to any UID system, be it a barcode or magnetic strip, whereas others are protected under current privacy laws.
While I agree it is important to keep an eye on the effects of RFID, I feel no benifit is gained from writing of the technology in its entirety. - superalamar, on 10/12/2007, -4/+10Your comment was dugg because you didn't scream about a duplicate story or call this old news insiuating that i was a dullard for enjoying the article.
- socket, on 10/12/2007, -2/+6"p0wn or pwn (http://en.wikipedia.org/wiki/Pwn), some say, means "power owned" as in a step above "owned" or "0wned" as you put it."
That's wrong and has been proven wrong. (Big surprise misinfo from wikipedia) It started because of a horrid typo of "owned", due to p being right next to o on the qwerty keyboard, resulting in "pwned".
Power owned was something a lamer made up to try to explain something they didn't understand. - Kitsune818, on 10/12/2007, -1/+5Reported as inaccurate.. the title doesn't match the article.
- sirmalloc, on 10/12/2007, -0/+4It looks like they were doing a simple SQL injection attack as a proof of concept. I don't see how this is considered self-replicating if it doesn't "infect" other RFID tags by initiating some kind of write to them.
- djork, on 10/12/2007, -1/+4I worked with RFID for a while, and I came to this conclusion: privacy nuts are just that... NUTS. RFID doesn't need to be "stopped" by some vigilant consumer-rights group. It's a neutral technology that has been in place for quite some time wether you know it or not. Exxon Speedpass? They're RFID. Checkpoint retail security gates? That's RFID. Swipeless building access cards? You guessed it, RFID. I can remove tags, and they're simply not readable from any practical distance (like, from the black van parked outside of my home).
- jrsmith, on 10/12/2007, -0/+3Wal-mart is using the tags in their stores but it's not on an item per item basis, only case by case. The tags are not on everything and you as the consumer do not take the RFID tag home unless you happen to purchase an item that is the case (such as furniture, televisions, computers) but even still the tag is stuck inside the case and not on the product itself. http://www.digg.com/technology/How_Wal-Mart_will_use_RFID there is a link to an article on how RFID is used at wal-mart. Criminals will not be able to scan your whole house and see what electronics you have unless you keep all of the boxes from them. Also... just a comment about people who hate Wal-mart. I understand that you must be jealous that you're not able to run a company as successful as Wal-mart. Don't be jealous of Wal-mart for being successful.. If you've had a bad experience at a store then it's not really their fault, most likely it's the fault of an ignorant employee who is just there for a paycheck. Also an exploit like this would have almost no effect on wal-mart (at store level anyways) because RFID is not being heavily relied on, it's just simply there to help keep track of the merchandise and identify when the merchandise might be in the backroom that needs to be on the salesfloor.
- QuiescentWonder, on 10/12/2007, -0/+3There are even more problems with this.
First of all, it's hard to fit a virus into 118 bytes of memory... That's probably less compiled code than this post is long. Secondly, the virus would have to be so specific to each system, seeing as how they aren't all the same, that the writer would have to have a great knowledge of the system they were attacking.
I'd like to quote this part of the article and set the record straight.
"RFID systems may be attractive to criminals since the data contained on them may have a financial or personal nature, such as information stored on digital passports. In addition to causing damage to computer systems, RFID malware may have an effect on real-world objects, the paper said."
Now here is how all of these technologies are planned on working. The RFID tags don't actually contain any personal information. All they contain is a code that will correspond with an entry in a database somewhere. Now once you have that code, /if/ you have access to that database, then you can look up the information that corresponds to that code. If you don't have access to that database, all you have is a code that is up to 118 bytes in length that has no personal information whatsoever within it. The equivalent is if someone were to look at your passport (paper old-school style) and recreate the outside casing of the passport thinking it was going to get them somewhere when in reality... all they have is a case for a passport. If you think about it, the way we currently carry our passport around is actually more susceptible to attack than an RFID tag would be. Someone could just run up and grab it. Don't try to argue that because the information would be in a database somewhere that would mean that some hacker could get into it, because all of the information in these proposed systems is ALREADY IN A DATABASE SOMEWHERE, whether it be a passport, medical data, anything. All the information is somewhere already. Using RFID tags in this sense, some may say, is actually safer than carrying around all the information with you. - sundancekid503, on 10/12/2007, -0/+3Don't count on it. RFID in one way or another is here to stay. It will change, it may get a new cute acronym, but the very concept of it is unavoidable.
- Philodox, on 10/12/2007, -0/+2I can think of several things wrong with that article. Firstly: the type of tag used by Wal-mart has 96 *bits* of information available to it. Secondly: most RFID middle-ware is written using either .NET or Java, I'm not aware of any MSIL or Java bytecode virii that exist and the overhead they bring with them makes it prohibitively hard to put that in 96 bits.
SQL injection attacks are so improbable it's ridiculous. Data on RFID tags is encoded as numeric values, which you get from the reader or the middle-ware as a *numeric* quantity. What kind of person would use the ASCII/Unicode representation of that set of bits and then slap it on the end of an SQL statement? Nobody who's ever written something larger than hello world that's for sure. - QuiescentWonder, on 10/12/2007, -0/+2"Still, flying wouldn't be the same if some prankster just made you a number one terrorist by hacking the RFID chip in your next passport.
Or a virus that makes everybody's passport say that they are Bin Laden."
If you realized how the technology worked, you would realize that any random person can't just write new data to your passport, so the first part is impossible. Now the virus you are talking about, you might as well say that someone is going to hack the FBI and delete all their records. It's just not going to happen. - willcode4beer, on 10/12/2007, -0/+2The 118 byte limit is just for a given id tag. However, if you are hacking an RFID system with a radio transmitter (the only proper way), you can send as many bytes as you like.
This opens the way for the mentioned buffer overflow exploit, which is where you send more bytes to a vulnerable system than it is designed to receive. This can allow arbitrary code to be executed on the system (strcpy anyone?). OTOH, it should be trivial to prevent a buffer overflow on the data received by the tags.
Granted its going to take quite a bit of detailed system information to write effective shell code to take advantage of this. It will be even more difficult since you'd get no direct feedback from the system.
An attacker would probably need to create an emulated environment to test his exploit, meaning hardware/OS/vendor software. This might make it a bit difficult for the average teenage hacker. Maybe some organized crime type could get the detailed info (and software) more easily by sending a bribe to the corp drone software developer working on the system.
SQL injection attacks would probably be a little easier but, you are still going to need some detailed system information.
For the amount that needs to be invested to make use of exploiting insecure RFID systems, it may not be worth it (even to a criminal). - Floodle, on 10/12/2007, -0/+2Almost all RFID tags are read only, read write ones are relatively too expensive for use in retail
- icefitz, on 10/12/2007, -1/+3The title is misleading as it makes it sound like the tags would send the virus from tag to tag. This is more along the lines of middleware is vulnerable to attacks from malformed RFIDs. This is the same with any system that can accept arbitrary inputs.
- QuiescentWonder, on 10/12/2007, -1/+3Only one problem, Wal-Mart doesn't use RFID tags in the retail part of it's store.
Also, Wal-Mart isn't the only big company that uses RFID tags. - travisxt97, on 10/12/2007, -0/+2Maybe it's time to buy one of those RFID blocking wallets:
http://digg.com/security/A_new_smart_RFID_blocking_wallet--only_blocks_signals_when_closed - dongiaconia, on 10/12/2007, -0/+2Your response is 100% accurate, however, it still doesn't address the issue of self replication. The title is slightly inaccurate. To say that RFID tags are susceptible to viruses suggests that an RFID tag could be created that would cause a SQL injection attack and furthermore that exploit would result in overwriting future scanned RFID tags with the same destructive code. It is correct to call it a vulnerability, but the term Virus is inaccurate.
- QuiescentWonder, on 10/12/2007, -0/+2It can't actually spread to the tags themselves. You put some code into an RFID tag, then you scan it, if the software somewhere between the scanner and where that transaction ends has some sort of bug that will allow that code to be arbitrarily run, then it's a threat. It still stands though, you wouldn't be able to rewrite other RFID tags because of this.
Making a virus to do anything destructive would involve having an immense amount of knowledge of the system you were trying to infect, plus the skills to write that sort of code. Then, on top of that, if you do know all that, you probably work for the place or set it up for them and already have access to the system, so doing this would be pointless. - manitcor, on 10/12/2007, -0/+2Not neccassarily to infect other RFID tags however given enough knowlege of the middle ware one could write an injecton attack that could insert data (the data would be executable code, JScript, TCL, whatever the middleware uses) into a table that is then read by a back end process. This code could be written such tat when the backend process sees the script it executes the script. It is the script that is put into the injection attack that will harm the system. Depending on the access level of the process running in the database it may be possible to create triggers, stored procdures, or even shell to the OS. Granted the amount of commands one could stick into an RFID system would be very limited. I could see the possibility of having a script shell as the system account running the process and then executing a command to call home and get a larger block of code to execute now that it is running as a system process.
Granted most of these methods can be prevented through good application desgin coupled with proper security at the application, OS and network levels, but in reality how many companies do you know of that actually excersice due dilligance to that level of detail. Even many commerical products are vunerable.
As for the whole thing about passports and IDs, personally I think RFID will make it more vunerable to attack. If I can get someones RFID number then make a reasonable facsimile of identifcation using your RFID. Its likely that the person checking will just scan the RFID, see that its valid and let you go on your way without looking closer at the ID card. Because as you know "computers are never wrong" at least thats how a good chunk of the population sees it. - schuller, on 10/12/2007, -0/+1This is silly. The "exploit" is not a virus; there is no executable piece of malicious software residing on an RFID chip. The flaw exists in the middleware, and can be "exploited" via any input mechanism that uses the middleware (such as a webservice accessed by an internet site). The exploit relies on modifying the data on the RFID chip such that when used as parameter in a SQL statement, it allows for random SQL execution. This is your plain vanilla SQL injection that has existed for ages. You can type this sort of "malformed data" into a web form and post it and get the same result. Saying that the RFID chip has the virus would be equivalent to saying that the virus is also in the person that typed in the malformed data to the webform mentioned earlier. No digg, get the title (and research) straight.
- NippleNutz, on 10/12/2007, -4/+5your both wrong its pwned
- MrDan, on 10/12/2007, -0/+1No, as that would require that the system write data back to the RFID card, something which doesn't happen (and would require more code than can fit on the card!)
- dignon, on 10/12/2007, -0/+1Yeah, actually you're just regurgitating the standard "nothing to see here, move along and ignore your privacy" line from the RFID industry. I don't deny that RFID is great idea in concept. As with most things, however, its implementation in the real world is where problems pop up. RFID tags have already been shown to be readable up to 150 ft away, and this is before any serious hackers have a go at it. So, the "black van" scenario you describe as being impossible is already a possiblity.
You wisely suggest that consumers can remove the tags, if they don't want the privacy risk. A logical assumption, but also not true. RFID is so small, it may not be easy to find in most products. Many products, in fact, are planning to build the RFID device directly into the product - woven into fabric in clothes or imbedded into plastics in others. Futhermore, the industry has resisted all attempts at the very reasonable solution of simply deactivating the RFID tags in products after they are purchased. What possible reason they would have for that stance is beyond me. - andy2005, on 10/12/2007, -0/+1Interesting. Tanenbaum, a big name in Computer Science.
- slant, on 10/12/2007, -3/+4p0wn or pwn (http://en.wikipedia.org/wiki/Pwn), some say, means "power owned" as in a step above "owned" or "0wned" as you put it.
More information: http://en.wikipedia.org/wiki/List_of_Internet_slang - Xalorous, on 10/12/2007, -1/+2They ARE readable from the street. The well equipped criminal 10 years from now will be able to scan your house and know your inventory of electronics and perhaps even clothes. And if you carry your Exxon Speedpass in your wallet, they can tell if you are at home (or at least whether your wallet is).
The point of this article is that, in testing, researchers have been able to reprogram an RFID tag so that the tag will infect middleware. Bottom line is that this means they can, in time, develop a way to backdoor the whole database by replacing the data on RFID tags which are then scanned and install the backdoor/rootkit/whatever.
And the point of the researchers is that the middleware needs robust security measures which carefully parse input and reject anything that is malformed. - Prophasi, on 10/12/2007, -0/+1@YossarianDent:
"I wish I had the presence of mind to take over someone else's hard work and use their capital and influence to take advantage of unfortunate economical stiuations and step all over the growing portion of the population that has little other choice."
Emotional bias can really cloud an argument. It's hard to tell who the victims are supposed to be in your quote, but I assume it would be small local businesses, consumers, and Wal-Mart's employees. Smaller businesses fail compared to Wal-Mart because Wal-Mart's cheaper and has more stuff under one roof. Loss for small business IF small biz tries to compete on price or variety alone. Win for all the people who shop at Wal-Mart, particularly the "economically disadvantaged" -- AKA the poor you might be feeling bad for. Average wage according to Slate (http://www.slate.com/id/2089532/) is $8.23, far more than I made when I started working at Eckerd Drugs, whether in real dollars, percentage above min wage, or anything else.
In my experience, most of the workers -- and I mean a HIGH percentage -- at Wal-Mart just plain suck, which, I dunno, maybe this is crazy, is the reason they're not making even more. It's not hard to start at a minimum wage job, do excellent work, and move up almost immediately. $8.23 isn't enough to live on for a family of three? Try having two parents work, or try not having kids until you have a better job, or try working harder/better so that you make more soon. It's not complex. I'm sure the poor people in the more enlightened, non-American, non-greedy countries will all join together in raising some funds for the "poor" in America.
Wal-Mart IS greedy, because Wal-Mart IS a corporation. They exist to increase shareholder value. You're not supposed to celebrate greed; you're supposed to celebrate the system that allows competing greed to drive up quality and drive down prices, in some combination. And that is precisely what Wal-Mart has mastered. Do you think they make money by having the SS march people through the door and steal their money? People shop there because they get the most stuff for the least money there, improving quality of life.
No other choices...hmmm...ok. I can go near any Wal-Mart and find tons of local stores, whether ethnic foods, hardware, repair, battery, furniture, and many more. Then there are the other chains -- Publix, Safeway, Food Lion, Target, Beall's, Ross, Payless, SaveALot, K-Mart, Ace, etc. etc. etc. etc. Yeah, they're all going out of business real soon, and we have no options. Poor us!
Get a life, get your emotions in check, compare your vague heartfelt emotions to reality, and learn economics. Oh, and compare us to the rest of the world to strengthen your notions about how awful Wal-Mart and capitalistic greed have been for us poor Americans. - mongrel, on 10/12/2007, -0/+1Agreed, it's pwned - just a pop icon typo. Just like teh word teh. One must ask, who is a bigger dork - the one who intentionally uses dorky language in a headline, or the one who tries and screws it up? Poseur. Heehee
- 1337 haxx0r - YVRSteve, on 10/12/2007, -0/+1US Military is largest user, followed by Tessco, then Walmart.
- eatporktoo, on 10/12/2007, -1/+2you get a digg for this story just because you used the following phrase...
"Walmart, prepare to be p0wned."
You sir, are my hero! - Jonsey, on 10/12/2007, -0/+1I know Wal-Mart Canada is not yet using RFID in their warehouses. I also doubt they are using them in the stores.
They have enough trouble just trying to get vendors to properly barcode items! So I think mass use of RFID tags is a long way out. However it sure would make the DCs more efficent... - Xalorous, on 10/12/2007, -0/+0Wal-Mart is probably the single largest RFID user. Electronics deptartment is full of the tags. Do they use them on the boxes in transit as well?
- Khlept0, on 10/12/2007, -1/+1Good thing we just started putting them in our passports =]
- Bowhunter87, on 12/03/2008, -0/+0Whether or not the whole virus for RFID chips is possible or not aside, the thought alone can be scary. With the widespread usage of RFID in many of the world's largest retailers, a virus that could effectively nulify these capabilities could cause these industrial machines to grind to a halt, consequently resulting in a situation with possibly worldwide economic implications. Definately an issue to consider for the future if nothing else.
- manitcor, on 10/12/2007, -0/+0I agree, the title is inaccurate to the article at hand. Albeit it would be possible for a virus to replicate to other RFIDs in a system that would allow writing back to the tags. This is not likely as most systems have devices for reading and separate devices that read/write. So it would only be possible if the person who does scanning regualrly is using a device that will both read and write to RFID tags and that the middle ware used at that particular point in the system had this feature enabled. They may have even built this into their test though the OA doesn't go into that much detail.
I don't see much of an advantage to infecting other tags anyhow. The money would be in gaining a foothold in the backend systems that the RFID tags are tied too. Once gained the possibilities are pretty much up to the imgination. It would only take one tag to infect the target system (the back-end). The only possible way I could see replication onto other tags being useful would be to seed a distribution center with a single tag which would then replicate to other tags so that the retailers or receivers could the become infected. However with the range of different products on the market it would be difficult to account for every type of possible system the receiver may have. Though I could propose some ideas.
The more I think about this the more I think I should prob just be quiet rather than give anyone ideas. - icefitz, on 10/12/2007, -0/+0You are making a leap there saying that RFID could be written to and if you where using them for tracking there would be no reason for them to be anything other then a dumb tag like a UPC that cannot be rewritten.
- kaptainKraken, on 10/12/2007, -0/+0luckly on they are some prety awsome tools for defeating RFID, such devices as RFID zapper and now RFID viruses. but i also envision devices that recored all RFID tags encountered in it's path and replicate any of them at will. that would be good for fooling inventories that something is still there when in reality it really is gone.
- jasonmcaffee, on 10/12/2007, -0/+0"The purpose of the exercise, the authors wrote, is to encourage RFID middleware designers to be more careful when writing code."
Not to indicate that RFID is a non-secure technology and that we should "stops the whole RFID thing before it gets to big to be handled." Think of how many websites have been exploited via sql-injections and the like. Should we stop the whole web thing before it gets out of hand as well?
Also, the title is misleading. - beatniak, on 10/12/2007, -1/+1It can be self-replicating trough a two-step flow:
They've discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be infected with a virus and this virus can infect the backend database used by the RFID software. From there it can be easily spread to other RFID tags. - celerate, on 10/12/2007, -1/+1Actually the Bible never specified that RFID tags were the mark of the beast at all.
It did say people would have the mark of the beast on the backs of their hands and (might be or instead of and, not sure) on their foreheads, but I have yet to see people with RFID tags there. In fact in some bars where they use RFID tags on willing customers they usually inject them in the arm. - thisisL, on 10/12/2007, -0/+0Wow this is amazing. There must be hundreds of posts per day here from people that are full of *****. First off, there is no limit to how much memory you can stuff into one off these. You just stick another EEPROM into the circuit. Secondly, these particular things don't even need ~118 bytes of EEPROM space. I know they don't because they're just siblings of PIC microcontrollers (many of them are PICs, and they have built-in EEPROM modules), and I can do a lot with a hundred bytes of EEPROM, don't let anyone fool you. Writing large amount of data to eeprom is too time consuming (yes it takes several milliseconds to transfer appeciable amounts of data to and from eeprom) for retail systems that just want to check if a rushing customer is leaving with something not yet purchased. Identification keys certainly aren't hundreds of bytes long (ever wonder why there isn't 1024 bit WEP?), and the few bits that mean the difference between sold and store-owned are negligible indeed.
The data from http://www.rfidvirus.org/index.html is a bit more believable than what these talking heads seem to be chanting. 1024 bits (1024 / 8 = 128 bytes, notice that this is a power of 2 like all other computer numbers) is one number that they came up with, and as newer micros are released, they always have more features (and more eeprom). That number is not the amount of RAM, don't get confused. RAM is not terribly important here (other than for on-the-fly operations that take place as you walk by the RFID sensor (which powers the chips)), since any data in RAM gets wiped clean as soon as you leave an energized RF field (and the device goes off).
Some of the issue relates to processor capability. Different devices are capable of different operations, and more modern (and expensive) microchips can execute more complex instructions in the same given amount of code space. For example, 16-bit microcontrollers like those of the 24F series are capable of bit-carrying operations and general math routines that an older 16F would have to execute indirectly over a great number of processor cycles (requiring a large amount of instruction code in the process). Simplifying instructions means faster execution and less code.
If you really want to attack the RFID tag method, get a little pin or thumbtack that attaches to you finger and cut a small square around the middle of the RFID. You can detach the antenna from the chip and not be caught if you have enough brains I'm sure.
Then again, if you're caught dead in a Walmart, you probably don't. - Xiol, on 10/12/2007, -1/+1Flaming once again. Can we just have this prick kicked off? (@jkfan)
- iiftmlis, on 10/12/2007, -0/+0I don't see where a working virus has been created. They have shown that it's possible for middleware to contain a flaw that could be exploited but they have not actually built and demonstrated a working virus.
- Wolfghost, on 10/12/2007, -0/+0The Walmart mention was a joke based on Walmart's rumored plans to RFID everything. If the rumor was true, they seem to have scaled back in the past year.
- pgorley, on 10/12/2007, -3/+2Who the hell uses the word "p0wned" in an article?
- doctechnical, on 10/12/2007, -1/+0What a massive load of hooey. My library card has a mag-stripe on it, how do I know THAT doesn't contain a virus, huh?
Eeek! Library card virus! AIIIEEE! Run away! - kjnc21, on 10/12/2007, -1/+0My Passport just came yesterday. I want to infect it and then spread the virus when I go on a cruise next month. :)
Payback for the stomach bug I picked up last cruise. - Woozle, on 10/12/2007, -2/+0lol. I was thinking the same thing. haha.
- YossarianDent, on 10/12/2007, -3/+1jrsmith:
Yes. I am terribly jealous of Wal-Mart's business savvy and the success they've enjoyed as a result of it. I wish I had the presence of mind to take over someone else's hard work and use their capital and influence to take advantage of unfortunate economical stiuations and step all over the growing portion of the population that has little other choice. Let's not even mention where I could get my products.
I don't hate Wal-Mart because I'm jealous. I hate them because they're the very epitome of what is wrong with America's culture of corporate greed and one of the reasons we deserve much of the antipathy we occasionally receive from other parts of the world. -
Show 51 - 59 of 59 discussions
Check out the new & improved 
© Digg Inc. 2009
— Content created and posted by Digg users is