RFID — Ready For Imminent Destruction?

RFID (radio frequency ID) tags are soon going to be in everything. But do we really know what we’re letting ourselves in for?

Last month some Dutch researchers said they had created a virus capable of infecting RFID tags, an assertion that was poo-pooed by quite a few security folk. The researchers said the virus could infect back-end systems, making it possible, they said, to a prankster replace an RFID tag on a jar of peanut butter with an infected tag to infect a supermarket chain’s database; a subdermal (i.e., under-the-skin) RFID tag on a pet used to upload a virus into a veterinarian or ASPCA computer system; and, most alarmingly, a radio-frequency bag tag used to infect an airport baggage-handling system.

This was all very theoretical, which is a nice way of saying far-fetched and somewhat Bondsian. But now a bunch of Australian researchers, according to Tom Espiner of ZDNet UK, has “proven that effective attacks can be launched against RFID tags.” Basically, the tags stop functioning after they’re overloaded with data.

In the tests, the Australian researchers saturated the frequency range used by the tags, which prevented the tags from talking to the readers. … They demonstrated that from a range of about 3 feet, they could disrupt communications between tags and readers, putting the tag into a “communication fault state.”

This is techie-speak for “broken”.

This is somewhat worrying, because RFID tags are not just used in peanut butter. The military uses them for keeping tag of supplies; hospitals of supplies and patients. That kind of thing. Imagine the chaos if folk found out how to put tags in important installations into “communication fault state”. And, much more importantly, for gambling. A recently approved patent, for example, envisages lottery tickets carrying RFID so they can be validated and tracked. I’d not like to be around if someone found their winning lottery ticket had been converted by a jealous neighbour into a “communication fault state.”

Who knows whether these kind of attacks might find their way out of the lab and into the hands of bad guys? We were probably asking this question of ourselves back when computer viruses were silly little things that threw up messages about freeing hashish from the strictures of law. Now look what viruses are doing. Not much fun, I grant you, but we ignore these warning signs about RFID at our peril. If RFID is going to be in everything, let’s make sure it works. As the Australian researchers themselves conclude:

Vulnerabilities in the newer UHF style of RFID tags have been found and are of concern for anyone trying to implement a RFID system that would have mission critical or human life issues involved in it.

18. April 2006 by jeremy
Categories: Security | Tags: , , , , , , , , | 2 comments

Comments (2)

  1. US-based West End Laboratories, the research arm of LDC Security, has developed a special RFID tag zapper designed to kill the RFID chip preventing readers from performing unwanted scanning and tracking of people or goods.

    (PRWEB) November 18, 2004 — According to the company, because information stored on RFID tags can be read by anyone, they may pose privacy threats to customers when deployed in retail environments, and have already triggered a wave of consumer outcry.

    �In a naive, RFID-enabled world without technical forethought, there is risk that sensitive information could be visible in secret to anyone with an RFID reader,� said Le Derec Caden, director and chief scientist with West End Laboratories in the US.

    �Moreover, the unique serial numbers emitted by RFID tags could be used to track people and objects surreptitiously. For businesses too, RFID introduces new privacy and security risks � and a whole new dimension to corporate espionage. These concerns have motivated our scientists to work on a new generation of technical solutions that match these challenges.�

  2. Pingback: Mp3 Search