17-03-06

the hype about RFID worms and cats

http://www.rfidvirus.org/papers/press_release.pdf
http://www.msnbc.msn.com/id/11837702/
The paper presents an attack where the tags carry a small amount of data (127 characters) that will infect the RFID reader. More precisely, they use an SQL injection attack against an Oracle database backend that interfaces with the reader. The reader will then continue to infect all new tags it sees

 

but a discussion about this issue here sets some new light
http://digg.com/security/Self-replicating_RFID_virus_crea...

* To say that RFID tags are susceptible to viruses suggests that an RFID tag could be created that would cause a SQL injection attack and furthermore that exploit would result in overwriting future scanned RFID tags with the same destructive code. It is correct to call it a vulnerability, but the term Virus is inaccurate http://digg.com/security/Self-replicating_RFID_virus_crea...
* but if you think a bit harder, than....
"I don't see much of an advantage to infecting other tags anyhow. The money would be in gaining a foothold in the backend systems that the RFID tags are tied too. Once gained the possibilities are pretty much up to the imgination. It would only take one tag to infect the target system (the back-end). The only possible way I could see replication onto other tags being useful would be to seed a distribution center with a single tag which would then replicate to other tags so that the retailers or receivers could the become infected. However with the range of different products on the market it would be difficult to account for every type of possible system the receiver may have."
http://digg.com/security/Self-replicating_RFID_virus_crea...
* The point of this article is that, in testing, researchers have been able to reprogram an RFID tag so that the tag will infect middleware. Bottom line is that this means they can, in time, develop a way to backdoor the whole database by replacing the data on RFID tags which are then scanned and install the backdoor/rootkit/whatever.
And the point of the researchers is that the middleware needs robust security measures which carefully parse input and reject anything that is malformed.
http://digg.com/security/Self-replicating_RFID_virus_crea...
but even than some say
* "most RFID middle-ware is written using either .NET or Java, I'm not aware of any MSIL or Java bytecode virii that exist and the overhead they bring with them makes it prohibitively hard to put that in 96 bits
http://digg.com/security/Self-replicating_RFID_virus_crea...
and not for anybody
* "An attacker would probably need to create an emulated environment to test his exploit, meaning hardware/OS/vendor software. This might make it a bit difficult for the average teenage hacker"
http://digg.com/security/Self-replicating_RFID_virus_crea...

* but maybe the article is written because those same people produce
a machine, the RFID guardian http://www.rfidguardian.org/index.html and all this is FUD and marketing because how would you sell a machine if there is no immediate danger.

 

this is not to say that RFID is not important as without any legal overview or regulation (against which the industry opposes itself as hard as possible, telling they have self-regulation and privacydefenders are nuts). It is up for government to tell us how they may or may not build and use such systems and who controls when the security and who is responsable if you want to complain.

 

RFID willing or not is getting its place in our world

* used against H5N1 avian  influenza http://www.ccmsectorinvest.com/detailednews.asp?intRe...
* the biggest retailer RFID project (wallmart)
http://www.digg.com/technology/How_Wal-Mart_will_use_RFID
* and used in US passports
http://www.aunty-spam.com/archives/2004/11/18/rfids-in-yo...
* and injected in some workers in some firms
"CityWatcher.com is requiring that their employees have RFIDs injected into their arms in order to access CityWatcher’s data centers. While the company says that it is not a condition of employment, it is a condition of accessing CityWatcher.com’s datacenter, and obviously being able to .. you know, do your job, is a condition of employment. In otherwords, if your job is working in the CityWatcher datacenter, it bloody well is a condition"
http://www.aunty-spam.com/us-company-requiring-employees-...
*and in patients where "For the first time, reportedly, researchers have successfully tested an implantable microchip device that is activated wirelessly to deliver controlled doses of drugs into the body over a prolonged period of time. "
http://www.eweek.com/article2/0,1759,1937836,00.asp?kc=EW...

17:41 Gepost door technology changes fast not a lot | Permalink | Commentaren (1) |  Facebook |

Commentaren

We must be Prepared by Quarantining ourselves. We now have to prepare for the worst pandemic in history. The only way to fight this one is to quarantine our family and use products that fight the virus in our own homes. If we avoid contact with other humans and reduce our own contagiousness in our homes, the virus will not spread as far and wide as if we were not fighting it in this way. This is our first and only line of defense against this most horid of all killers. Fifty percent of those contracting this virus will survive. IF you don’t want to be in that statistic, you need to become prepared now.

Gepost door: mike mathiesen | 03-04-06

De commentaren zijn gesloten.