RFID: At Risk from Viruses?
When Dutch researchers announced in March they’d managed to use radio frequency ID tags as a means of passing a virus to an information system’s database, they merely demonstrated the obvious, says Daniel Engels, first research director at the Auto-ID Labs at MIT, a center of RFID research. RFID systems, being computers, are as vulnerable to viruses as any other computer. Good system designs and targeted applications minimize risk, Engels says.
Technology Review: Generally, how vulnerable are RFID systems to fraud, attacks, and viruses?
Daniel Engels: RFID systems, just like bar code systems, are computing and information systems. As such, they are potentially vulnerable. At the simplest level, think of a shoplifter who sticks a bar code for a 12-ounce jar of peanut butter over the bar code on a 16-ounce jar. He only pays the 12-ounce price, because that’s what the information system is reading. The information system is relying upon the cashier to catch any discrepancies. An RFID tag could theoretically be switched, too.
TR: How, exactly, are viruses a threat?
DE: Most RFID tags are simple database devices. The data–commonly a product identifier plus a serial number–is either written in the wafer fab facility or at the point the tag is applied. Once data is written, it is locked, preventing any modification. You’d have to destroy the tag and replace it. Tags with rewritable memory may have a virus written to its memory, but the memory contents have no impact on the tag’s operations. So most tags are not vulnerable to viruses, but some may be carriers of viruses.
TR: What about the fancier tags?
DE: Some RFID tags are able to store large quantities of data, such as the active tags used by the military to track its shipping containers. These act as unsecured databases and should be treated as such. Viruses may be stored in this user-memory portion. But the data typically needs to be in a specific format to be usable by the information system. This limits the potential for attacks, since incorrectly formatted data will be rejected by the system.
TR: So it’s up to the designers of the computing systems to stop such an attack?
DE: As with all computing and information systems, security requires a multilayered approach when any automated identification system is used. RFID systems are simply an enabling technology. The power of the system lies within the information system using the captured data.
When RFID systems are used to store data other than the item’s unique identifier, security measures must be used to authenticate the data and its authors. It is incumbent upon the information system to authenticate the data and verify that the format and structure of the data are appropriate for the applications using it.
TR: What does the future hold?
DE: As RFID technologies become more widespread and available at lower costs, the likelihood of various attacks will increase. But the potential security attacks on RFID systems and the information systems that support them are well known and well understood by experts within the industry. There is a price to be paid to implement countermeasures. As the cost and frequency of successful attacks increases, more security features will be integrated into the RFID tags themselves and the information systems supporting them.
Geoffrey Hinton tells us why he’s now scared of the tech he helped build
“I have suddenly switched my views on whether these things are going to be more intelligent than us.”
ChatGPT is going to change education, not destroy it
The narrative around cheating students doesn’t tell the whole story. Meet the teachers who think generative AI could actually make learning better.
Meet the people who use Notion to plan their whole lives
The workplace tool’s appeal extends far beyond organizing work projects. Many users find it’s just as useful for managing their free time.
Learning to code isn’t enough
Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.