SQL injection doesn't work exactly the way the author of this article described it. And it's easy to prevent -- all one has to do is avoid taking input data from a web page or other input device and place it directly in an SQL Statement without first parsing it to eliminate certain special characters that make SQL injection possible. Any input from any source (RFID device or otherwise) can be used to attempt to launch an SQL injection attack (which basically amounts to injecting an SQL statement into the one the application normally submits to the database). Usually the intent is to have additional data returned, such as a list of user IDs so the hacker can attempt to bust into the database. -- Andy Oppel, N6AJO At 12:10 PM 3/23/2006, dick@pobox.com wrote:

23 MAR 2006 - 1405 CST

In sorting through a lot of low priority messages, I came across a week old CNET article that you might find interesting in view of our past struggles with RFID tags.

73 - Dick, W9GIG ========================================================================= Psst. Your shiny new passport has a computer virus

By Robert Vamosi Senior editor, CNET Reviews March 17, 2006

This is a story of a container at a major shipping port. This particular container is marked with an RFID tag, a label with a tiny embedded radio transmitter that broadcasts a short string of data--anywhere from 256 to 1,024 bytes. But in addition to this container holding fresh Florida oranges, its RFID tag holds a virus: an SQL injection code. As the container passes by the shipping port's RFID reader, data from the contents of the container along with the malicious code are fed to the back-end database, corrupting if not crippling it. Now the port system is compromised. And as the container is washed and refilled and sent somewhere else, the malicious code (now a part of the RFID system) is also imprinted on other RFID tags on other containers, spreading the infection. Sounds like a cheap techno-thriller plot, doesn't it? Unfortunately, it's not. It's the basis of a new research paper out of the Netherlands, and the implications could be huge.

RFID 101 By themselves, RFID systems are pretty simple. Items such as boxes in a warehouse receive an RFID tag. The short broadcasts allow RFID readers to inventory stock, passing that data on to larger databases elsewhere. Bar codes, the system currently in place, require someone to physically hold each item up to a laser scanner. By comparison, you can take inventory entire pallets of RFID-enabled dish detergent just by waving a reader in their general direction. Stores such as Walgreens and Wal-Mart currently use RFID technology to track inventory.

In addition to this container holding fresh Florida oranges, its RFID tag holds a virus, an SQL injection code. RFID tags aren't limited to warehouse merchandise. RFID tags are being used to authenticate customers at gas stations, eliminating the need to swipe a credit card at the pump. And RFID tags are currently being injected into

<http://dw.com.com/redir?oid=4520-3513_7-6466679-1&ontid=3513&siteid=7&edid=3&lop=txt&destcat=ex&destUrl=http://www.newhousenews.com/archive/melendez030306.html>pets, livestock, and even <http://dw.com.com/redir?oid=4520-3513_7-6466679-1&ontid=3513&siteid=7&edid=3&lop=txt&destcat=ex&destUrl=http://www.newyorker.com/talk/content/articles/060320ta_talk_wilkinson>human beings for tracking purposes.

The dark side of RFID Out of Amsterdam this week came a study entitled "<http://dw.com.com/redir?oid=4520-3513_7-6466679-1&ontid=3513&siteid=7&edid=3&lop=txt&destcat=ex&destUrl=http://www.rfidvirus.org/papers/percom.06.pdf>Is your cat infected with a computer virus?" It was conducted by Melanie R. Rieback, Bruno Crispo, and Andrew S. Tanenbaum from Vrije University in Amsterdam. <http://dw.com.com/redir?oid=4520-3513_7-6466679-1&ontid=3513&siteid=7&edid=3&lop=txt&destcat=ex&destUrl=http://www.cs.vu.nl/%7East/>Andrew S. Tanenbaum, professor of computer science, is the author of the Minix operating system. In addition to presenting their work, the authors have launched a <http://dw.com.com/redir?oid=4520-3513_7-6466679-1&ontid=3513&siteid=7&edid=3&lop=txt&destcat=ex&destUrl=http://www.rfidvirus.org/index.html>Web page of known RFID threats.

The authors want to send a warning, and I agree. Before corporations and governments start adopting RFID technology, let's step back and make sure it is secure. Basically, the authors say in their 10-page paper that RFID systems can be exploited; like all software, there's definite potential for vulnerabilities to be found and exploited in the software back end of the RFID system. The authors found that RFID viruses could be used to corrupt whole databases controlling the back end of the RFID technology using buffer overflows and SQL injections--two methods already used in computer crimes. As the United States and other countries move toward embedding RFID tags into passports, allowing them to be scanned at a distance as the passenger deplanes, the authors of this study would like to see some best practices adopted first.

As long as the programmers writing RFID software follow best practices (and check for buffer-overflow possibilities) everything should be fine. However, software programmers are human, deadlines are sometimes inflexible, and security is often one of the first compromises made in the rush to market or to fulfill a government contract. In general, there is little oversight of RFID systems, and often there are no testing requirements in place for these systems. The authors want to send a warning, and I agree. Before corporations and governments start adopting RFID technology, let's step back and make sure it is secure.

No vulnerabilities announced It's interesting that the authors did not announce any specific vulnerabilities within current RFID software--they didn't even use current RFID software, they created their own. What they were able to do with their own software--and this is their point--was to demonstrate that if a vulnerability exists within the RFID software, that vulnerability could be exploited and used to inject malicious code into the back-end database. The authors were able to create an RFID virus, and previously, that was considered impossible.

Think of RFID viruses as virus-infected e-mail--same principle. As the e-mail moves from user to user, it infects files or databases that come into contact with it. An RFID-virus-infected piece of luggage, for example, could infect RFID-reader software at each airport terminal that scans the RFID label, thus crippling hundreds of airport databases in a few short hours. The same would be true of an infected RFID-enabled passport, a type of document that's set to take effect in the <http://reviews.cnet.com/Passports+to+get+RFID+chip+implants/2100-7348_3-5913644.html?tag=txt>United States in October. Either of these events could shut down the entire system, create longer lines, and possibly delay flights.

Of course there's another opinion On the other side of this argument are the few RFID technology companies who dismiss the Amsterdam report entirely, citing that each RFID system is unique and proprietary, suggesting that it is unlikely that a criminal hacker or terrorist would know enough about a given system to find a vulnerability, let alone exploit it. True. However, according to the latest <http://dw.com.com/redir?oid=4520-3513_7-6466679-1&ontid=3513&siteid=7&edid=3&lop=txt&destcat=ex&destUrl=http://www.fbi.gov/page2/jan06/computer_crime_survey011806.htm>FBI/CSI Computer Crime Survey, 44 percent of all computer attacks for financial gain (or loss) are the result of insiders--there's always an employee who thinks he's found a flaw but can't get management to fix it or a disgruntled employee who wants to see his former company go down.

The RFID report authors also worry that corporations and governments are hastily considering merging whole databases behind RFID technology. Thus, if an RFID system at an airport does get "0wned" and the back-end database is trashed or compromised, this could be ruinous for a number of reasons. Shortly after the September 11 attacks, former Attorney General John Ashcroft <http://reviews.cnet.com/2100-3513_22-980889.html?tag=txt>proposed a megadatabase in the United States combining content from the Justice Department, the State Department, the IRS, and even health insurance companies and credit bureaus. Fortunately, Congress balked at the idea. Now, imagine if someone working on the U.S. Passport RFID system becomes disgruntled and knows how to exploit a buffer overflow on the system when it comes online this October. It's one thing to cripple or compromise the State Department's database, but it's another when you start spreading the mess to credit bureaus and such.

The convenience curse I've stated before that just because something becomes easier doesn't mean it's more secure. RFID technology is popular and this report shouldn't slow its growth. However, rather than dismiss the possibility that one day we might see viruses corrupting RFID-fed databases, I would hope that corporations and governments rushing to adopt RFID technology consider best practices when programming and testing to make sure it's secure once the systems are ready. All software is vulnerable to some extent; really, this report should not come as any surprise.

Will criminals and terrorists start introducing malware into RFID systems in the near future? Or will RFID viruses remain strictly proof of concept?