SQL injection doesn't work exactly the way the author of this article
described it. And it's easy to prevent -- all one has to do is
avoid taking input data from a web page or other input device and place
it directly in an SQL Statement without first parsing it to eliminate
certain special characters that make SQL injection possible. Any
input from any source (RFID device or otherwise) can be used to attempt
to launch an SQL injection attack (which basically amounts to injecting
an SQL statement into the one the application normally submits to the
database). Usually the intent is to have additional data returned,
such as a list of user IDs so the hacker can attempt to bust into the
database.
-- Andy Oppel, N6AJO
At 12:10 PM 3/23/2006, dick@pobox.com wrote:
23 MAR 2006 - 1405 CST
In sorting through a lot of low priority messages, I came across a
week old CNET article that you might find interesting in view of our
past struggles with RFID tags.
73 - Dick, W9GIG
=========================================================================
Psst. Your shiny new passport has a computer
virus
By Robert Vamosi
Senior editor, CNET Reviews
March 17, 2006
This is a story of a container at a major shipping port. This particular
container is marked with an RFID tag, a label with a tiny embedded radio
transmitter that broadcasts a short string of data--anywhere from 256 to
1,024 bytes. But in addition to this container holding fresh Florida
oranges, its RFID tag holds a virus: an SQL injection code. As the
container passes by the shipping port's RFID reader, data from the
contents of the container along with the malicious code are fed to the
back-end database, corrupting if not crippling it. Now the port system is
compromised. And as the container is washed and refilled and sent
somewhere else, the malicious code (now a part
of the RFID system) is also imprinted on other RFID tags on other
containers, spreading the infection. Sounds like a cheap techno-thriller
plot, doesn't
it? Unfortunately, it's not. It's the basis of a new research paper out
of
the Netherlands, and the implications could be huge.
RFID 101
By themselves, RFID systems are pretty simple. Items such as boxes in
a warehouse receive an RFID tag. The short broadcasts allow RFID readers
to inventory stock, passing that data on to larger databases elsewhere.
Bar codes, the system currently in place, require someone to physically
hold each item up to a laser scanner. By comparison, you can take
inventory entire pallets of RFID-enabled dish detergent just by waving a
reader in their general direction. Stores such as Walgreens and Wal-Mart
currently use RFID technology to track inventory.
In addition to this container holding fresh Florida oranges, its RFID
tag holds a virus, an SQL injection code.
RFID tags aren't limited to warehouse merchandise. RFID tags are
being used
to authenticate customers at gas stations, eliminating the need to swipe
a credit card at the pump. And RFID tags are currently being injected
into
pets, livestock, and even
human beings for tracking purposes.
The dark side of RFID
Out of Amsterdam this week came a study entitled
"
Is your cat infected with
a computer virus?" It was conducted by Melanie R. Rieback, Bruno
Crispo, and Andrew S. Tanenbaum from Vrije University in Amsterdam.
Andrew S. Tanenbaum, professor of computer science, is the author of
the Minix operating system.
In addition to presenting their work, the authors have launched a
Web page of known RFID threats.
The authors want to send a warning, and I agree. Before corporations
and governments start adopting RFID technology, let's step back and make
sure it is secure.
Basically, the authors say in their 10-page paper that RFID systems
can be exploited; like all software, there's definite potential for
vulnerabilities to be found and exploited in the software back end of the
RFID system. The authors found that RFID viruses could be used to corrupt
whole databases controlling the back end of the RFID technology using
buffer overflows and
SQL injections--two methods already used in computer crimes. As the
United States and other countries move toward embedding RFID tags into
passports, allowing them to be scanned at a distance as the passenger
deplanes, the authors of this study would like to see some best practices
adopted first.
As long as the programmers writing RFID software follow best practices
(and check for buffer-overflow possibilities) everything should be fine.
However, software programmers are human, deadlines are sometimes
inflexible, and security is often one of the first compromises made in
the rush to market or to fulfill a government contract. In general, there
is little oversight of RFID systems, and often there are no testing
requirements in place for these systems. The authors want to send a
warning, and I agree. Before corporations and governments start adopting
RFID technology, let's step back and make sure it is secure.
No vulnerabilities announced
It's interesting that the authors did not announce any specific
vulnerabilities within current RFID software--they didn't even use
current RFID software, they created their own. What they were able to do
with their own software--and this is their point--was to demonstrate that
if a vulnerability exists within the RFID software, that vulnerability
could be exploited and used to inject malicious code into the back-end
database. The authors were able to create an RFID virus, and previously,
that was
considered impossible.
Think of RFID viruses as virus-infected e-mail--same principle. As the
e-mail moves from user to user, it infects files or databases that come
into contact with it. An RFID-virus-infected piece of luggage, for
example, could infect RFID-reader software at each airport terminal that
scans the RFID label, thus crippling hundreds of airport databases in a
few short hours. The same would be true of an infected RFID-enabled
passport, a type of document that's set
to take effect in the
United States in October. Either of these events could
shut down the entire system, create longer lines, and possibly delay
flights.
Of course there's another opinion
On the other side of this argument are the few RFID technology
companies who dismiss the Amsterdam report entirely, citing that each
RFID system is unique and proprietary, suggesting that it is unlikely
that a criminal hacker or terrorist would know enough about a given
system to find a vulnerability, let alone exploit it. True. However,
according to the latest
FBI/CSI Computer Crime Survey, 44 percent of all computer attacks for
financial gain (or loss) are the result of insiders--there's always an
employee who thinks he's found
a flaw but can't get management to fix it or a disgruntled employee who
wants to see his former company go down.
The RFID report authors also worry that corporations and governments are
hastily considering merging whole databases behind RFID technology. Thus,
if an RFID system at an airport does get "0wned" and the
back-end database is trashed or compromised, this could be ruinous for a
number of reasons. Shortly after the September 11 attacks, former
Attorney General John Ashcroft
proposed a megadatabase in the United States combining content from
the Justice Department, the State Department, the IRS, and even health
insurance companies and credit bureaus. Fortunately, Congress balked at
the idea. Now, imagine if someone working on the U.S. Passport RFID
system becomes disgruntled and knows how to exploit a buffer overflow on
the system when it comes online this October. It's one thing to cripple
or compromise the State Department's database, but it's another when you
start spreading the mess to credit bureaus and such.
The convenience curse
I've stated before that just because something becomes easier doesn't
mean it's more secure. RFID technology is popular and this report
shouldn't slow its growth. However, rather than dismiss the possibility
that one day we might see viruses corrupting RFID-fed databases, I would
hope that corporations and governments rushing to adopt RFID technology
consider best practices when programming and testing to make sure it's
secure once the systems are ready. All software is vulnerable to some
extent; really, this report should not
come as any surprise.
Will criminals and terrorists start introducing malware into RFID
systems in the near future? Or will RFID viruses remain strictly proof of
concept?