RFID (radio frequency ID) tags are soon going to be in everything. But do we really know what we’re letting ourselves in for?
Last month some Dutch researchers said they had created a virus capable of infecting RFID tags, an assertion that was poo-pooed by quite a few security folk. The researchers said the virus could infect back-end systems, making it possible, they said, to a prankster replace an RFID tag on a jar of peanut butter with an infected tag to infect a supermarket chain’s database; a subdermal (i.e., under-the-skin) RFID tag on a pet used to upload a virus into a veterinarian or ASPCA computer system; and, most alarmingly, a radio-frequency bag tag used to infect an airport baggage-handling system.
This was all very theoretical, which is a nice way of saying far-fetched and somewhat Bondsian. But now a bunch of Australian researchers, according to Tom Espiner of ZDNet UK, has “proven that effective attacks can be launched against RFID tags.” Basically, the tags stop functioning after they’re overloaded with data.
In the tests, the Australian researchers saturated the frequency range used by the tags, which prevented the tags from talking to the readers. … They demonstrated that from a range of about 3 feet, they could disrupt communications between tags and readers, putting the tag into a “communication fault state.”
This is techie-speak for “broken”.
This is somewhat worrying, because RFID tags are not just used in peanut butter. The military uses them for keeping tag of supplies; hospitals of supplies and patients. That kind of thing. Imagine the chaos if folk found out how to put tags in important installations into “communication fault state”. And, much more importantly, for gambling. A recently approved patent, for example, envisages lottery tickets carrying RFID so they can be validated and tracked. I’d not like to be around if someone found their winning lottery ticket had been converted by a jealous neighbour into a “communication fault state.”
Who knows whether these kind of attacks might find their way out of the lab and into the hands of bad guys? We were probably asking this question of ourselves back when computer viruses were silly little things that threw up messages about freeing hashish from the strictures of law. Now look what viruses are doing. Not much fun, I grant you, but we ignore these warning signs about RFID at our peril. If RFID is going to be in everything, let’s make sure it works. As the Australian researchers themselves conclude:
Vulnerabilities in the newer UHF style of RFID tags have been found and are of concern for anyone trying to implement a RFID system that would have mission critical or human life issues involved in it.