RFID malware: Design principles and examples

https://doi.org/10.1016/j.pmcj.2006.07.008Get rights and content

Abstract

This paper explores the concept of malware for Radio Frequency Identification (RFID) systems — including RFID exploits, RFID worms, and RFID viruses. We present RFID malware design principles together with concrete examples; the highlight is a fully illustrated example of a self-replicating RFID virus. The various RFID malware approaches are then analyzed for their effectiveness across a range of target platforms. This paper concludes by warning RFID middleware developers to build appropriate checks into their RFID middleware before it achieves wide-scale deployment in the real world.

Introduction

Radio Frequency Identification (RFID) is a contactless identification technology that promises to revolutionize our supply chains and customize our homes and office. By leveraging low-cost RFID tags, often containing <1–2 kb of memory, proponents of RFID technology aim to create an “Internet of Things”; however these well-meaning experts should be careful what they wish for. While modern RFID deployments are usually small and located in benevolent environments, the Internet is vast and unmanageable, bringing together commercial interests, inexperienced users, and computer hackers. Furthermore, by bringing the Internet to the “things”, RFID tags could inadvertently extend digital mayhem into the physical world.

This paper will demonstrate that the security breaches that RFID deployers dread most — RFID malware, RFID worms, and RFID viruses — are right around the corner. RFID attacks are currently conceived as properly formatted but fake RFID data; however no one expects an RFID tag to send a SQL injection attack or a buffer overflow. Unfortunately, the trust that RFID tag data receives is unfounded. To prove our point, this paper will describe the basic design principles of RFID malware. We will provide concrete examples for several target platforms, featuring a fully illustrated specimen of a self-replicating RFID virus. Our main intention behind this paper is to encourage RFID middleware designers to adopt safe programming practices.

Radio Frequency Identification (RFID) is the quintessential Pervasive Computing technology. Touted as the replacement for traditional barcodes, RFID’s wireless identification capabilities promise to revolutionize our industrial, commercial, and medical experiences. The heart of the utility is that RFID makes gathering information about physical objects easy. Information about RFID-tagged objects can be transmitted for multiple objects simultaneously, through physical barriers, and from a distance. In line with Mark Weiser’s concept of “ubiquitous computing” [1], RFID tags could turn our interactions with computing infrastructure into something subconscious and sublime.

This promise has led investors, inventors, and manufacturers to adopt RFID technology for a wide array of applications. RFID tags could help combat the counterfeiting of goods like designer sneakers, pharmaceutical drugs, and money. RFID-based automatic checkout systems might tally up and pay our bills at supermarkets, gas stations, and highways. We reaffirm our position as “top of the food chain” by RFID tagging cows, pigs, birds, and fish, thus enabling fine-grained quality control and infectious animal disease tracking. RFID technology also manages our supply chains, mediates our access to buildings, tracks our kids, and defends against grave robbers [2]. The family dog and cat even have RFID pet identification chips implanted in them; given the trend towards subdermal RFID use, their owner will be next in line.

This pervasive computing utopia also has its dark side. RFID automates information collection about individuals’ locations and actions, and this data could be abused by hackers, retailers, and even the government. There are a number of well-established RFID security and privacy threats.

  • (1)

    Sniffing. RFID tags are designed to be read by any compliant reading device. Tag reading may happen without the knowledge of the tag bearer, and it may also happen at large distances. One recent controversy highlighting this issue concerned the “skimming” of digital passports (a.k.a. Machine Readable Travel Documents [3]).

  • (2)

    Tracking. RFID readers in strategic locations can record sightings of unique tag identifiers (or “constellations” of non-unique tag IDs), which are then associated with personal identities. The problem arises when individuals are tracked involuntarily. Subjects may be conscious of the unwanted tracking (i.e. school kids, senior citizens, and company employees), but that is not always necessarily the case.

  • (3)

    Spoofing. Attackers can create “authentic” RFID tags by writing properly formatted tag data on blank or rewritable RFID transponders. One notable spoofing attack was performed recently by researchers from Johns Hopkins University and RSA Security [4]. The researchers cloned an RFID transponder, using a sniffed (and decrypted) identifier, that they used to buy gasoline and unlock an RFID-based car immobilization system.

  • (4)

    Replay attacks. Attackers can intercept and retransmit RFID queries using RFID relay devices [5]. These retransmissions can fool digital passport readers, contactless payment systems, and building access control stations. Fortunately, implementing authentication protocols between the RFID tags and back-end middleware improves the situation.

  • (5)

    Denial of service. Denial of Service (DoS) is when RFID systems are prevented from functioning properly. Tag reading can be hindered by Faraday cages or “signal jamming”, both of which prevent radio waves from reaching RFID-tagged objects. DoS can be disastrous in some situations, such as when trying to read medical data from VeriMed subdermal RFID chips in the trauma ward at the hospital.

This list of categories represents the current state of “common knowledge” regarding security and privacy threats to RFID systems. This paper will (unfortunately) add a new category of threat to this list. All of the previously discussed threats relate to the high-level misuse of properly formatted RFID data, while the RFID malware described in this paper concerns the low-level misuse of improperly formatted RFID tag data.

Section snippets

Enabling factors for RFID malware

RFID malware is a Pandora’s box that has been gathering dust in the corner of our “smart” warehouses and homes. While the idea of RFID viruses has surely crossed people’s minds, the desire to see RFID technology succeed has suppressed any serious consideration of the concept. Furthermore, RFID exploits have not yet appeared “in the wild” so people conveniently figure that the power constraints faced by RFID tags make RFID installations invulnerable to such attacks.

Unfortunately, this viewpoint

RFID malware overview

This section will introduce the three main types of RFID malware: RFID exploits, RFID worms, and RFID viruses.

RFID malware design principles

This section will illustrate the design principles of RFID malware, presenting the infection mechanisms and payloads that can target typically architected RFID middleware systems.

Detailed example: Oracle/SSI virus

Yogi Berra once said, “In theory there is no difference between theory and practice. In practice there is.” For that reason, we have implemented our RFID malware ideas, to test them for their real-world applicability.

This section will give a detailed description of an RFID virus implementation that specifically targets Oracle and Apache Server-Side Includes (SSIs). This RFID virus combines self-replication with a malicious payload, and the virus leverages both SQL and script injection attacks.

Discussion

Once we were convinced of the feasibility of RFID malware and viruses, we started “porting” our RFID malware to a variety of different platforms. These efforts met with moderate but not unqualified success. The results are summarized in Table 5.

We learned that some RFID middleware components are more susceptible to RFID malware attacks than others. The WWW management interface was a large source of problems; upon script exploitation, the compromised Apache web server allowed unauthorized system

Countermeasures

Now that we have demonstrated how to exploit RFID middleware systems, it is important for RFID middleware designers and administrators to understand how to prevent and fix these problems. Concerned parties can protect their systems against RFID malware by taking the following steps [16]:

  • (1)

    Bounds checking. Bounds checking can prevent buffer overflow attacks by detecting whether or not an index lies within the limits of an array. It is usually performed by the compiler, so as not to induce runtime

Conclusion

RFID malware threatens an entire class of Pervasive Computing applications. Developers of the wide variety of RFID-enhanced systems will need to “armor” their systems, to limit the damage that is caused once hackers start experimenting with RFID exploits, RFID worms, and RFID viruses on a larger scale. This paper has underscored the urgency of taking these preventative measures by demonstrating the feasibility of RFID malware on several platforms, and presenting a fully illustrated example of a

Acknowledgement

This work was supported by the Nederlandse Organisatie voor Wetenschappelijk Onderzoek (NWO), as project #600.065.120.03N17.

Melanie R. Rieback is a Ph.D. student at the Vrije Universiteit Amsterdam in the Computer Systems Group. Her research interests include computer security, ubiquitous computing, and Radio Frequency Identification. Melanie has an MSc. in computer science from the Technical University of Delft, and in a past life, she worked as a bioinformaticist on the Human Genome Project. Contact her at Dept. of Computer Science, Vrije Universiteit Amsterdam, De Boelelaan 1081a, 1081 HV Amsterdam, The

References (21)

  • M. Weiser

    The computer for the twenty-first century

    Scientific American

    (1991)
  • J. Ditlev, Rest in peace, in: RFID Buzz....
  • International Civil Aviation Organization, Biometrics deployment of machine readable travel documents, 2004....
  • S. Bono, M. Green, A. Stubblefield, A. Juels, A. Rubin, M. Szydlo, Security analysis of a cryptographically-enabled...
  • Z. Kfir, A. Wool, Picking virtual pockets using relay attacks on contactless smartcard systems, in: 1st Intl. Conf. on...
  • V.R. Basili et al.

    Software errors and complexity: An empirical investigation

    Communications of the ACM

    (1984)
  • N. Weaver, V. Paxson, S. Staniford, R. Cunningham, A taxonomy of computer worms, in: First Workshop on Rapid Malcode,...
  • C. Anley, Advanced SQL injection in SQL Server applications....
  • Microsoft Corporation, How to prevent cross-site scripting security issues....
  • US-CERT, Vulnerability Note VU#181038 — Microsoft Windows Metafile handler SETABORTPROC GDI Escape...
There are more references available in the full text version of this article.

Cited by (0)

Melanie R. Rieback is a Ph.D. student at the Vrije Universiteit Amsterdam in the Computer Systems Group. Her research interests include computer security, ubiquitous computing, and Radio Frequency Identification. Melanie has an MSc. in computer science from the Technical University of Delft, and in a past life, she worked as a bioinformaticist on the Human Genome Project. Contact her at Dept. of Computer Science, Vrije Universiteit Amsterdam, De Boelelaan 1081a, 1081 HV Amsterdam, The Netherlands; [email protected]; www.cs.vu.nl/~melanie.

Patrick N.D. Simpson is an M.Sc. student at the Vrije Universiteit Amsterdam in Parallel and Distributed Computing Systems. His research interests include MINIX hacking, computer security, and Radio Frequency Identification. Contact him at Dept. of Computer Science, Vrije Universiteit Amsterdam, De Boelelaan 1081a, 1081 HV Amsterdam, The Netherlands; [email protected]; www.cs.vu.nl/~psimpson.

Bruno Crispo received an M.Sc. in computer science from the University of Torino, Italy and a Ph.D. in computer science from the University of Cambridge, UK. He is currently an Assistant Professor of Computer Science at the Vrije Universiteit in Amsterdam. His research interests are security protocols, authentication, authorization and accountability in distributed systems and ubiquitous systems, sensors security. He has published several papers on these topics in refereed journals and in the proceedings of international conferences. Contact him at Dept. of Computer Science, Vrije Universiteit Amsterdam, De Boelelaan 1081a, 1081 HV Amsterdam, The Netherlands; [email protected]; www.cs.vu.nl/~crispo.

Andrew S. Tanenbaum has an S.B. from M.I.T. and a Ph.D. from the University of California at Berkeley. He is currently a Professor of Computer Science at the Vrije Universiteit in Amsterdam. His research interests are reliability and security in operating systems, distributed systems, and ubiquitous systems. He is the author of five books that have been translated into 20 languages, as well as the author of over 100 published papers. He has lectured in over a dozen countries. Tanenbaum is a Fellow of the IEEE, a Fellow of the ACM, and a member of the Royal Dutch Academy of Sciences. Contact him at Dept. of Computer Science, Vrije Universiteit Amsterdam, De Boelelaan 1081a, 1081 HV Amsterdam, The Netherlands; [email protected]; www.cs.vu.nl/~ast.

This is an extended version of the paper Is Your Cat Infected with a Computer Virus? Presented at IEEE PerCom in March 2006.

View full text