Abstract
Automatic identification and collection (AIDC) technologies have made the life of a man much easier on numerous platforms. Of the various such technologies the radio frequency identification devices (RFID) have become pervasive essentially because they can track from a greater physical distance than the rest. The back end that supports these RFID systems has always been working well until they encounter a sbadly-formatted RFID tag. There have hardly been any incidents where such tags, once identified by the back-end systems, can in fact wreak havoc via the interacting databases in the RFID infrastructure. Recently, there has been significant research in this area. In the previous work, the author managed to do an attack using a self-referential query on Linux, Oracle, and PHP. However, they have been unable to test it on SQL Server 2005. This paper differs from the previous work in the way that it extends the attack using a self-referential query to Windows, SQL Server 2005, and ASP with their respective latest updates installed. The query itself is more robust by making certain that the table can contain it.
Similar content being viewed by others
References
Caton, M.: RFID Reshapes Supply Chain Management. http://www.eweek.com. April 19th, 2004
RFid Gazette: FDA Approves Sub-dermal RFID VeriChip. October 14, 2004
New Jersey Customer Service Center: E-Z Pass Automated Toll Collection
Singel, R.: American passports to get chipped. Wired Magazine, October 21, 2004
Garfinkel, S., et al.: RFID: Application, Security and Privacy. Addison-Wesley, Reading (2006)
Wikipedia: Radio Frequency Identification.
AutoID. Active and passive RFID: two distinct, but complementary, technologies for real-time supply chain visibility. May 24, 2002. Retrieved on 2 May, 2007
Thompson, D.R., et al.: Categorizing RFID privacy threats with STRIDE. In: Proceedings ACM’s Symposium on Usable Privacy and Security held at CMU (2006)
Rieback, M.R., et al.: Is your cat infected with a computer virus? IEEE Percom (2006)
Albrecht, K., McIntyre, L.: SpyChips: how major corporations and government plan to track your every move with RFID. 4 October, 2005
Karygiannis, T., et al.: National Institute of Standards and Technology.Guidance for Securing RFID Systems (Draft). http://csrc.nist.gov/publications/drafts/800-98/Draft-SP800-98.pdf. Retrieved on 30 July, 2007
Generation 2 Security, http://www.thingmagic.com/html/pdf/Generation%202%20-%20Security.pdf. Retrieved on 26 July, 2007
Biometrics deployment of machine readable travel documents: http://www.icao.int/mrtd/download/documents/Biometrics%20deployment%20o%f%20Machine%20Readable%20Travel%20Documents%202004.pdf May 2004. Retrieved on 26 July, 2007
Bono, S., Green, M., Stubble_eld, A., Juels, A., Rubin, A., Szydlo, M.: Security analysis of a cryptographically enabled RFID device. In: 14th USENIX Security Symposium, pp. 1–16. Baltimore, Maryland, USA, July–August 2005. USENIX
Kfir, Z., Wool, A.: Picking virtual pockets using relay attacks on contactless smartcard systems. In: 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks. http://eprint.iacr.org/, September 2005. Retrieved on 26 July 2007
Wikipedia: SQL Injection
Web Application Security Consortium: Glossary. Retrieved on 21 March 2007
Anley, C.: Advanced SQL Injection in SQL Server Applications. Retrieved on 21 March 2007
McDonald, S.: SQL Injection: Modes of Attack, Defence, and Why It Matters. SANS Institute. Retrieved on 21 March, 2007
Bond, G.W.: Software as art. Commun. ACM 48(8), 118–124 (2005)
CGI Security. What is SQL Injection? Retrieved on 10 December 2006
Ispirer: Setting Up ODBC Data Sources
Microsoft Technet: Using Server-Side Include Directives (IIS 6.0)
MSDN. Using #exec Directives
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Sulaiman, A., Mukkamala, S. & Sung, A. SQL infections through RFID. J Comput Virol 4, 347–356 (2008). https://doi.org/10.1007/s11416-007-0075-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-007-0075-8