In their research paper Mr Tanenbaum and his colleagues Melanie Rieback and Bruno Crispo detail how to use RFID tags to spread viruses and subvert corporate databases. "Everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software and certainly not in a malicious way. Unfortunately, they are wrong," wrote the trio in their research paper. The researchers showed how to get round the limited computational abilities of the smart tags to use them as an attack vector and corrupt databases holding information about what a company has in storage. To test out the theory the group created a virus for a smart tag that used only 127 characters, uploaded it and watched it in action.
This is not as cool as it sounds. In English, Tanenbaum is saying this: -RFID tags simply contain a serial number -This serial number, when read, normally ends up in some kind of SQL statement. For nontechs, this just means the number is looked up in a big database -I can create an RFID tag that has a malformed number and some SQL code. -When this value gets to the database, the SQL in the RFID tag will be executed. This is known as SQL Injection SQL Injection is certainly dangerous, but this vector limits what you can do. You really have a single direction communications tunnel. You tell the database to do something. The database has no easy way to get information back to you. Yes, there are rather complex ways to get a database to execute external commands which might be able to connect out to the Internet and return information to you. This would be extremely vendor specific, require a lot of code on the RFID to hold the attack, and isn't a very worm-friendly attack vector. Because of this one way communication limit, this vector cannot easily be used steal information out of a database. It also means you can't use traditional SQL Injection methods to determine database structure. You would already need to know the application you are attacking. Basically you are reduced to either editing or deleting information from the database. Nasty forms of SQL Injection exist and there are much better vectors than RFID tags to do it with. RFID + SQL Injection = Media Hype |