Skip to main content
SpringerLink
Log in

SQL infections through RFID

  • Invited Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Automatic identification and collection (AIDC) technologies have made the life of a man much easier on numerous platforms. Of the various such technologies the radio frequency identification devices (RFID) have become pervasive essentially because they can track from a greater physical distance than the rest. The back end that supports these RFID systems has always been working well until they encounter a sbadly-formatted RFID tag. There have hardly been any incidents where such tags, once identified by the back-end systems, can in fact wreak havoc via the interacting databases in the RFID infrastructure. Recently, there has been significant research in this area. In the previous work, the author managed to do an attack using a self-referential query on Linux, Oracle, and PHP. However, they have been unable to test it on SQL Server 2005. This paper differs from the previous work in the way that it extends the attack using a self-referential query to Windows, SQL Server 2005, and ASP with their respective latest updates installed. The query itself is more robust by making certain that the table can contain it.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Caton, M.: RFID Reshapes Supply Chain Management. http://www.eweek.com. April 19th, 2004

  2. RFid Gazette: FDA Approves Sub-dermal RFID VeriChip. October 14, 2004

  3. New Jersey Customer Service Center: E-Z Pass Automated Toll Collection

  4. Singel, R.: American passports to get chipped. Wired Magazine, October 21, 2004

  5. Garfinkel, S., et al.: RFID: Application, Security and Privacy. Addison-Wesley, Reading (2006)

    Google Scholar 

  6. Wikipedia: Radio Frequency Identification.

  7. AutoID. Active and passive RFID: two distinct, but complementary, technologies for real-time supply chain visibility. May 24, 2002. Retrieved on 2 May, 2007

  8. Thompson, D.R., et al.: Categorizing RFID privacy threats with STRIDE. In: Proceedings ACM’s Symposium on Usable Privacy and Security held at CMU (2006)

  9. Rieback, M.R., et al.: Is your cat infected with a computer virus? IEEE Percom (2006)

  10. Albrecht, K., McIntyre, L.: SpyChips: how major corporations and government plan to track your every move with RFID. 4 October, 2005

  11. Karygiannis, T., et al.: National Institute of Standards and Technology.Guidance for Securing RFID Systems (Draft). http://csrc.nist.gov/publications/drafts/800-98/Draft-SP800-98.pdf. Retrieved on 30 July, 2007

  12. Generation 2 Security, http://www.thingmagic.com/html/pdf/Generation%202%20-%20Security.pdf. Retrieved on 26 July, 2007

  13. Biometrics deployment of machine readable travel documents: http://www.icao.int/mrtd/download/documents/Biometrics%20deployment%20o%f%20Machine%20Readable%20Travel%20Documents%202004.pdf May 2004. Retrieved on 26 July, 2007

  14. Bono, S., Green, M., Stubble_eld, A., Juels, A., Rubin, A., Szydlo, M.: Security analysis of a cryptographically enabled RFID device. In: 14th USENIX Security Symposium, pp. 1–16. Baltimore, Maryland, USA, July–August 2005. USENIX

  15. Kfir, Z., Wool, A.: Picking virtual pockets using relay attacks on contactless smartcard systems. In: 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks. http://eprint.iacr.org/, September 2005. Retrieved on 26 July 2007

  16. Wikipedia: SQL Injection

  17. Web Application Security Consortium: Glossary. Retrieved on 21 March 2007

  18. Anley, C.: Advanced SQL Injection in SQL Server Applications. Retrieved on 21 March 2007

  19. McDonald, S.: SQL Injection: Modes of Attack, Defence, and Why It Matters. SANS Institute. Retrieved on 21 March, 2007

  20. Bond, G.W.: Software as art. Commun. ACM 48(8), 118–124 (2005)

    Article  Google Scholar 

  21. CGI Security. What is SQL Injection? Retrieved on 10 December 2006

  22. Ispirer: Setting Up ODBC Data Sources

  23. Microsoft Technet: Using Server-Side Include Directives (IIS 6.0)

  24. MSDN. Using #exec Directives

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Institute for Complex Additive Systems Analysis, New Mexico Tech, Socorro, NM, USA

    Anthonius Sulaiman, Srinivas Mukkamala & Andrew Sung

Authors
  1. Anthonius Sulaiman
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Srinivas Mukkamala
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrew Sung
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anthonius Sulaiman.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Sulaiman, A., Mukkamala, S. & Sung, A. SQL infections through RFID. J Comput Virol 4, 347–356 (2008). https://doi.org/10.1007/s11416-007-0075-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-007-0075-8

Keywords

Search

Navigation