Experts: RFID threat overblown
The threat of viruses in radio frequency identification chips has been vastly overstated in media reports, security experts said Thursday.
Dutch researchers said this week that it found RFID tags are susceptible to computer viruses and can be used to corrupt databases.
Bruce Schneier, founder and chief technology officer of Counterpane, said on his Schneier on Security weblog that he wasn't surprised RFID tags can be infected with viruses.
"Of course RFID chips can carry viruses. They're just little computers," he said, adding that "the coverage is more than a tad sensationalist, though."
Schneier, added Thursday that he did find the recently discovered attack vector "interesting."
"A trojan RFID attacks the central database, rather than attacking other RFID chips directly," he said. "Metaphorically, it's a lot closer to biological viruses, because it actually requires the more powerful host being subverted, and there's no way an infected tag could propagate directly to another tag."
Researchers at the Free University in Amsterdam found that hackers could cause valid RFID tags to behave in unexpected and malicious ways. For instance, when a RFID reader at a supermarket checkout counter reads the tag on a product, the software driving it could add the item scanned to the list of the customer's purchases, tallying up the total after all products have been scanned.
Experts at Sophos also told PC users not to get too worked up over the report, entitled "Is your cat infected with a computer virus?"
"The semi-academic paper is full of assumptions that have to be realized before it is possible to create a virus that will use RFID tags to spread," the anti-virus firm said. "It is with mentioning that the virus code described in the paper works only on the environment constructed specially for the purpose by the authors of the paper and that there are no known vulnerabilities like that in any real RFID middleware system."
Graham Cluley, senior technology consultant for Sophos, said that any data-storage device can carry a virus in a specifically created environment. Companies should focus on real threats, he said.
"The sky is not falling, and no one should be diverted from the important task of dealing with the very real risks posed by conventional viruses," he said. "Windows desktops and servers are the main battleground for viruses right now, not the aisles of the supermarket or at the vets, where you can get your pet cat chipped."