Daily Archives: March 15, 2006

More RFID tag problems

RFID (radio frequency identification) tags are being used increasingly as a means to track people and stuff. Walmart for example is demanding that all their suppliers embed rfid tags in every item they ship to walmart. Walmart can then use this track inventory. Of course they can also this track the stuff you have in your shopping cart to offer you other deals. Another use of RFID tags that has been proposed is in passports. The US government has demanded that all new passports issued by October of this year have to have rfid tags embedded in them. The reason given is try and prevent counterfeiting of passports and to speed processing. An rfid tag is a basically a chip with information programmed into it that can be read remotely by a radio frequency reader. The problem is that anyone with a reader can pick up the information from such a passport if they are within 30 or so feet of you. The passports are supposed to come with a sleeve to shield them but you know that people will not always use it and the passports have to be removed to go through security. At these times anyone could pluck the information and grab your identity. Bad guys that use technology are usually a lot smarter than the government officials who mandate these changes. It is a given that if you provide a doorway like this for someone to sneak through they will use for something bad long before officials ever figure out what hit them.

Well now there is another new problem with rfid tags. Viruses. I just found this item via digg.com. Researchers at Vrije Universiteit Amsterdam in the Netherlands have created a self replicating rfid tag virus as a proof of concept. In order for rfid tags to be useful there needs to be some back-end database software running connected to the readers. The researchers demonstrated that they could create virus code small enough to fit in the limited memory of an rfid tag. When the tag is read the code is copied back to the database, and fro there it is copied to other tags that are read. This could can be used to cause all kinds of havoc. They give an example of an airport baggage handling system.

For example, airports are considering using RFID tags to track baggage. But Tanenbaum warned that this application could pose a large problem if an RFID tag is read and delivers a much larger set of data in return. A false tag on a piece of baggage could exploit a buffer overflow to deliver a virus to the RFID middle-ware. Once the virus code is on the server, it could infect the databases and corrupt subsequent tags or install back doors — small programs that allow for the extrication of data over the Internet, Tanenbaum said.

“You can hide baggage,” Tanenbaum said. “You can reroute baggage to the wrong place — all kinds of mischief. That’s I think a very, very serious thing that even has national security implications.”

Rfid tags definitely fall into the category of new technologies that create a lot of unintended consequences. With most new technology the unintended consequences aren’t discovered until after the fact. Here we have an example that we know about as the technology is just being rolled out. It is not too late to stop some of these implementations until we come up with some solutions before something really bad happens. Using technology to make things easier is not always a good idea. Let’s slow down and think about we are doing for a change.