Airbourne worm attacks airports and supermarkets : RFID worm created in the lab

Continuing our healthy RFID thread, here is some doomy news for RFID peddlars. Dutch scientists keen to promote the pervasive spread of RFID throughout the material and biological worlds we inhabit have created a virus or worm capable of transmitting itself through RFID. It is dubious that such an environment could any longer be described as a 'real-world' nonetheless this is the contention of these scientists and the scenarios they hope to prepare the market for.

Re-posted from and

RFID worm created in the lab

Researchers have discovered a way to infect Radio Frequency Identification (RFID) tags with a computer worm, raising the disturbing prospect that products, ID cards, and even pets could be used to spread malicious code.

RFID tags provides a simple and efficient method of short-range identification and are increasingly being used to track products, make automatic payments and control access to buildings and public transport. They can be implanted into pets, cattle, and even humans for identification purposes.

But researchers from Vrije Universiteit in Amsterdam, led by Andrew Tanenbaum, have found that RFID tags can also be used to spread dangerous computer code. They demonstrated techniques for creating malicious tags at the Fourth Annual IEEE International Conference on Pervasive Computing and Communications in Pisa, Italy, on Tuesday.

RFID tags are already viewed with some suspicion by privacy groups because they offer a way to increase surveillance of individuals. But, until now, it has been assumed they are unsuitable for spreading computer worms or viruses because each tag has a limited memory, typically less than 1024 bits.

The Vrije Universiteit team found that compact malicious code could be written to RFID tags after all. By replacing a tag's normal identification code with a carefully written message, the researchers found they could exploit bugs in a computer connected to an RFID reader. This made it possible to spread a self-replicating computer worm capable of infecting other compatible, and rewritable, RFID tags.

Airport infections

"It's a very interesting idea," says Burt Kaliski, vice president of research at US company RSA Security. "RFID introduces data into a system, and if that system's data processing is not properly designed then many types of attack may be possible." But Kaliski also notes that simple RFID tags, which cannot be overwritten, should be far more difficult to exploit.

Roughly the size of a grain of rice, an RFID tag contains a miniaturised computer chip and radio transmitter capable of sending a unique identification code over a short distance to a receiver and a connected computer. The tags are powered inductively, by the signal from the external reading device, which means they can operate indefinitely without a battery.

A tag infected with a worm and attached, for example, to a piece of luggage could rapidly infect other luggage in an airport, the Dutch researchers say. "On arrival at other airports, these cases will be scanned again and within 24 hours, hundreds of airports throughout the world could be infected," they said in a statement issued by the university.

The Dutch researchers add that a malicious RFID tags could also bypass physical security measures by fooling a computer into thinking it has just received a different identification code. In the hypothetical airport example, this would provide "the perfect solution for smugglers and terrorists wanting to send suspicious luggage across the world without being noticed," they add.

The group has produced several examples outlining how to exploit RFID tags and guidelines for protecting them on the website http://www.rfidvirus.org :

Real-World Scenarios

To make clear what kinds of problems might arise from RFID hacking by amateurs or criminals, let us consider three possible and all-too-realistic scenarios.

1.

A prankster goes to a supermarket that scans the purchases in its customers' shopping carts using the RFID chips affixed to the products instead of their bar codes. Many supermarkets have plans in this direction because RFID scans are faster (and in some cases can be done by the customers, eliminating the expense of having cashiers). The prankster selects, scans, and pays for a nice jar of chunk-style peanut butter that has an RFID tag attached to it. Upon getting it home, he removes or destroys the RFID tag. Then he takes a blank RFID tag he has purchased and writes a exploit on it using his home computer and commercially available equipment for writing RFID tags. He then attaches the infected tag to the jar of peanut butter, brings it back to the supermarket, heads directly for the checkout counter, and pays for it again. Unfortunately, this time when the jar is scanned, the virus on its tag infects the supermarket's product database, potentially wreaking all kinds of havoc such as changing prices. 2.

Emboldened by his success at the supermarket, the prankster decides to unwittingly enlist his cat in the fun. The cat has a subdermal pet ID tag, which the attacker rewrites with a virus using commercially available equipment. He then goes to a veterinarian (or the ASPCA), claims it is stray cat and asks for a cat scan. Bingo! The database is infected. Since the vet (or ASPCA) uses this database when creating tags for newly-tagged animals, these new tags can also be infected. When they are later scanned for whatever reason, that database is infected, and so on. Unlike a biological virus, which jumps from animal to animal, an RFID virus spread this way jumps from animal to database to animal. The same transmission mechanism that applies to pets also applies to RFID-tagged livestock. 3.

Now we get to the scary part. Some airports are planning to expedite baggage handling by attaching RFID-augmented labels to the suitcases as they are checked in. This makes the labels easier to read at greater distances than the current bar-coded baggage labels. Now consider a malicious traveler who attaches a tiny RFID tag, pre-initialized with a virus, to a random person's suitcase before he checks it in. When the baggage-handling system's RFID reader scans the suitcase at a Y-junction in the conveyor-belt system to determine where to route it, the tag responds with the RFID virus, which could infect the airport's baggage database. Then, all RFID tags produced as new passengers check in later in the day may also be infected. If any of these infected bags transit a hub, they will be rescanned there, thus infecting a different airport. Within a day, hundreds of airport databases all over the world could be infected. Merely infecting other tags is the most benign case. An RFID virus could also carry a payload that did other damage to the database, for example, helping drug smugglers or terrorists hide their baggage from airline and government officials, or intentionally sending baggage destined for Alaska to Argentina to create chaos (e.g., as revenge for a recently fired airline employee).

Some companies with a vested interest in RFID technology have said their software can withstand attacks such as the ones we have proposed. We hope that is the case. These claims would be much more believable, however, if the companies made their software available to universities and other neutral parties for exhaustive testing, along with a large reward (say, $100,000) for the first person to construct a virus that successfully infects it. If no one is able to infect the software after, say 6 months, the claim that the software cannot be infected is a great deal stronger than merely stating it without proof. The nice part of this for the company is that if the software is bulletproof, it costs the company nothing.