Experts: RFID threat overblown

Share this article:

The threat of viruses in radio frequency identification chips has been vastly overstated in media reports, security experts said Thursday.

Dutch researchers said this week that it found RFID tags are susceptible to computer viruses and can be used to corrupt databases.

Bruce Schneier, founder and chief technology officer of Counterpane, said on his Schneier on Security weblog that he wasn't surprised RFID tags can be infected with viruses.

"Of course RFID chips can carry viruses. They're just little computers," he said, adding that "the coverage is more than a tad sensationalist, though."

Schneier, added Thursday that he did find the recently discovered attack vector "interesting."

"A trojan RFID attacks the central database, rather than attacking other RFID chips directly," he said. "Metaphorically, it's a lot closer to biological viruses, because it actually requires the more powerful host being subverted, and there's no way an infected tag could propagate directly to another tag."

Researchers at the Free University in Amsterdam found that hackers could cause valid RFID tags to behave in unexpected and malicious ways. For instance, when a RFID reader at a supermarket checkout counter reads the tag on a product, the software driving it could add the item scanned to the list of the customer's purchases, tallying up the total after all products have been scanned.

Experts at Sophos also told PC users not to get too worked up over the report, entitled "Is your cat infected with a computer virus?"

"The semi-academic paper is full of assumptions that have to be realized before it is possible to create a virus that will use RFID tags to spread," the anti-virus firm said. "It is with mentioning that the virus code described in the paper works only on the environment constructed specially for the purpose by the authors of the paper and that there are no known vulnerabilities like that in any real RFID middleware system."

Graham Cluley, senior technology consultant for Sophos, said that any data-storage device can carry a virus in a specifically created environment. Companies should focus on real threats, he said.

"The sky is not falling, and no one should be diverted from the important task of dealing with the very real risks posed by conventional viruses," he said. "Windows desktops and servers are the main battleground for viruses right now, not the aisles of the supermarket or at the vets, where you can get your pet cat chipped."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.