May 2006

RFID: At Risk from Viruses?

As part of an information system, even the lowly RFID tag is vulnerable.

By David Talbot

When Dutch researchers announced in March they'd managed to use radio frequency ID tags as a means of passing a virus to an information system's database, they merely demonstrated the obvious, says Daniel Engels, first research director at the Auto-ID Labs at MIT, a center of RFID research. RFID systems, being computers, are as vulnerable to viruses as any other computer. Good system designs and targeted applications minimize risk, Engels says.

Technology Review: Generally, how vulnerable are RFID systems to fraud, attacks, and viruses?

Daniel Engels: RFID systems, just like bar code systems, are computing and information systems. As such, they are potentially vulnerable. At the simplest level, think of a shoplifter who sticks a bar code for a 12-ounce jar of peanut butter over the bar code on a 16-ounce jar. He only pays the 12-ounce price, because that's what the information system is reading. The information system is relying upon the cashier to catch any discrepancies. An RFID tag could theoretically be switched, too.

TR: How, exactly, are viruses a threat?

DE: Most RFID tags are simple database devices. The data--commonly a product identifier plus a serial number--is either written in the wafer fab facility or at the point the tag is applied. Once data is written, it is locked, preventing any modification. You'd have to destroy the tag and replace it. Tags with rewritable memory may have a virus written to its memory, but the memory contents have no impact on the tag's operations. So most tags are not vulnerable to viruses, but some may be carriers of viruses.

TR: What about the fancier tags?

DE: Some RFID tags are able to store large quantities of data, such as the active tags used by the military to track its shipping containers. These act as unsecured databases and should be treated as such. Viruses may be stored in this user-memory portion. But the data typically needs to be in a specific format to be usable by the information system. This limits the potential for attacks, since incorrectly formatted data will be rejected by the system.

TR: So it's up to the designers of the computing systems to stop such an attack?

DE: As with all computing and information systems, security requires a multilayered approach when any automated identification system is used. RFID systems are simply an enabling technology. The power of the system lies within the information system using the captured data.

When RFID systems are used to store data other than the item's unique identifier, security measures must be used to authenticate the data and its authors. It is incumbent upon the information system to authenticate the data and verify that the format and structure of the data are appropriate for the applications using it.

TR: What does the future hold?

DE: As RFID technologies become more widespread and available at lower costs, the likelihood of various attacks will increase. But the potential security attacks on RFID systems and the information systems that support them are well known and well understood by experts within the industry. There is a price to be paid to implement countermeasures. As the cost and frequency of successful attacks increases, more security features will be integrated into the RFID tags themselves and the information systems supporting them.