MemeStreams | MemeStreams Discussion

Create an Account

This page contains all of the posts and discussion on MemeStreams referencing the following web page: RFID + SQL Injection = Media Hype. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

RFID + SQL Injection = Media Hype
by Acidus at 3:35 pm EST, Mar 15, 2006

In their research paper Mr Tanenbaum and his colleagues Melanie Rieback and Bruno Crispo detail how to use RFID tags to spread viruses and subvert corporate databases.
"Everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software and certainly not in a malicious way. Unfortunately, they are wrong," wrote the trio in their research paper.
The researchers showed how to get round the limited computational abilities of the smart tags to use them as an attack vector and corrupt databases holding information about what a company has in storage. To test out the theory the group created a virus for a smart tag that used only 127 characters, uploaded it and watched it in action.

This is not as cool as it sounds. In English, Tanenbaum is saying this:

-RFID tags simply contain a serial number
-This serial number, when read, normally ends up in some kind of SQL statement. For nontechs, this just means the number is looked up in a big database
-I can create an RFID tag that has a malformed number and some SQL code.
-When this value gets to the database, the SQL in the RFID tag will be executed. This is known as SQL Injection

SQL Injection is certainly dangerous, but this vector limits what you can do. You really have a single direction communications tunnel. You tell the database to do something. The database has no easy way to get information back to you. Yes, there are rather complex ways to get a database to execute external commands which might be able to connect out to the Internet and return information to you. This would be extremely vendor specific, require a lot of code on the RFID to hold the attack, and isn't a very worm-friendly attack vector.

Because of this one way communication limit, this vector cannot easily be used steal information out of a database. It also means you can't use traditional SQL Injection methods to determine database structure. You would already need to know the application you are attacking. Basically you are reduced to either editing or deleting information from the database.

Nasty forms of SQL Injection exist and there are much better vectors than RFID tags to do it with.

RE: RFID + SQL Injection = Media Hype
by Decius at 3:52 pm EST, Mar 15, 2006

Acidus wrote:
Basically you are reduced to either editing or deleting information from the database.
I don't agree. This isn't just about SQL injection. They discuss buffer overflows and bidirectional attacks in their paper. But, what is the RFID's application? Most can be subverted by tinkering with the back end database.
- Building Access? Can I modify the database so that I can get through doors?
- Theft Control? Can I prevent the gate at the store from sounding an alarm by indicating that my ID number is "purchased?" (Which is what happens when they swish your product over the pad at the store.)
- Shopping? Can I change the price of my item or other items in the database?
- Passports? Can I change my entry visa?!
There might not be much you could do to PayPass with SQL injection but if you could overflow it, you could print money.