Tag Archives: Amsterdam

How To Infect An Airport

Could it be possible to use Radio Frequency ID tags, or RFID, to transmit viruses? Some researchers reckon so. Unstrung reports that a paper presented at the Pervasive Computing and Communications Conference in Pisa, Italy, the researchers from Vrije Universiteit in Amsterdam, led by Andrew Tanenbaum, show just how susceptible radio-frequency tags may be to malware. “Up until now, everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify backend software, and certainly not in a malicious way,” the paper’s authors write. “Unfortunately, they are wrong.”

According to The New Scientist the Vrije Universiteit team found that compact malicious code could be written to RFID tags by replacing a tag’s normal identification code with a carefully written message. This could in turn exploit bugs in a computer connected to an RFID reader. This made it possible, the magazine says, to spread a self-replicating computer worm capable of infecting other compatible, and rewritable, RFID tags.

An RFID tag is small — roughly the size of a grain of rice, the New Scientist says, and contains a tiny chip and radio transmitter capable of sending a unique identification code over a short distance to a receiver and a connected computer. They are widely used in supermarkets, warehouses, pet tracking and toll collection. But it’s still in the early stages of development. Which leaves it vulnerable. Until now, however, it was thought the small internal memory would make it impossible to infect. Not so, say the researchers.

So what would happen, exactly? RFID virus would then find its way into the backend databases used by the RFID software. The paper, Unstrung says, outlines three scenarios: a prankster who replaces an RFID tag on a jar of peanut butter with an infected tag to infect a supermarket chain’s database; a subdermal (i.e., under-the-skin) RFID tag on a pet used to upload a virus into a veterinarian or ASPCA computer system; and, most alarmingly, a radio-frequency bag tag used to infect an airport baggage-handling system. A virus in an airport database could re-infect other bags as they are scanned, which in turn could spread the virus to hub airports as the traveler changes planes.

So how likely is this? Not very, Unstrung quotes Dan Mullen, executive director of AIM Global, a trade association for the barcode and RFID industries, as saying. “If you’re looking at an airport baggage system, for instance, you have to know what sort of tag’s being used, the structure of the data being collected, and what the scanners are set up to gather,” he explains. Red Herring quotes Kevin Ashton, vice president of marketing for ThingMagic, a Cambridge, Massachusetts-based designer of reading devices for RFID systems, as saying the paper was highly theoretical and the theoretical RFID viruses could be damaging only to an “incredibly badly designed system.” Hey, that sounds a bit like a PC.

But he does make a good point: because RFID systems are custom designed, a hacker would have to know a lot about the system to be able to infect it. But that doesn’t mean it can’t be done, and it doesn’t mean it won’t get easier to infect. As RFID becomes more widespread, off-the-shelf solutions are going to become more common. And besides, what will stop a disgruntled worker from infecting a system he is using? Or an attacker obtaining some tags and stealing a reader, say, and then reverse engineering the RFID target?

My instinct would be to take these guys seriously. As with Bluetooth security issues such as Bluesnarfing, the tendency is for the industry itself not to take security seriously until someone smarter than them comes along and shows them why they should do.

The General, The Famous Psychiatrist and “Different Nigerians”

You don’t have to be dumb to fall for Nigerian email scams. According to a suit filed by a renowned psychiatrist’s son, Dr. Louis A. Gottschalk lost perhaps $3 million over 10 years to scammers from Nigeria. As the LA Times puts it:

The court documents, filed last month in Orange County Superior Court, allege Gottschalk even traveled to Africa to meet a shadowy figure known as “The General.” Gottschalk — who at 89 still works at the UCI campus medical plaza that bears his name — said in court papers that the losses were caused by “some bad investments.”

The tale is an awfully familiar one, made worse by the sums involved and the apparent fact that we are talking about a renowned psychiatrist. As the son’s attorney put it: “While it seems unlikely, even ludicrous, that a highly educated doctor like [Gottschalk] would fall prey to such an obvious con, that is exactly what happened,” according to court papers.

According to the son’s account, the scam dates back to 1995:

A year later, Louis Gottschalk traveled to Africa to meet “The General” and other Nigerians “to show them that he was sincere so he would get the money.” Another court document said he also traveled to Amsterdam to meet the Nigerians. Soon afterward, his son said Gottschalk admitted to him that he had lost $300,000 and that FBI agents concluded that he had been a victim of an Internet scam.

But, as in many of these cases, that didn’t stop him. Throwing good money after bad, caution to the wind but not the towel, Louis Gottschalk, according to his son

kept clandestinely wiring money to the Nigerians at least until last fall. Guy Gottschalk said that when he confronted his father in October, Louis Gottschalk said, “Don’t worry, everything will be all right on Thursday because I will be getting $20 million.”The son said his father also told him he’d get the money this time because these were “different Nigerians.”

They always are.

technorati tags: ,