Intelligent Machines

RFID: At Risk from Viruses?

As part of an information system, even the lowly RFID tag is vulnerable.

When Dutch researchers announced in March they’d managed to use radio frequency ID tags as a means of passing a virus to an information system’s database, they merely demonstrated the obvious, says Daniel Engels, first research director at the Auto-ID Labs at MIT, a center of RFID research. RFID systems, being computers, are as vulnerable to viruses as any other computer. Good system designs and targeted applications minimize risk, Engels says.

Technology Review: Generally, how vulnerable are RFID systems to fraud, attacks, and viruses?

Daniel Engels: RFID systems, just like bar code systems, are computing and information systems. As such, they are potentially vulnerable. At the simplest level, think of a shoplifter who sticks a bar code for a 12-ounce jar of peanut butter over the bar code on a 16-ounce jar. He only pays the 12-ounce price, because that’s what the information system is reading. The information system is relying upon the cashier to catch any discrepancies. An RFID tag could theoretically be switched, too.

This story is part of our May/June 2006 Issue
See the rest of the issue
Subscribe

TR: How, exactly, are viruses a threat?

DE: Most RFID tags are simple database devices. The data–commonly a product identifier plus a serial number–is either written in the wafer fab facility or at the point the tag is applied. Once data is written, it is locked, preventing any modification. You’d have to destroy the tag and replace it. Tags with rewritable memory may have a virus written to its memory, but the memory contents have no impact on the tag’s operations. So most tags are not vulnerable to viruses, but some may be carriers of viruses.

TR: What about the fancier tags?

DE: Some RFID tags are able to store large quantities of data, such as the active tags used by the military to track its shipping containers. These act as unsecured databases and should be treated as such. Viruses may be stored in this user-memory portion. But the data typically needs to be in a specific format to be usable by the information system. This limits the potential for attacks, since incorrectly formatted data will be rejected by the system.

TR: So it’s up to the designers of the computing systems to stop such an attack?

DE: As with all computing and information systems, security requires a multilayered approach when any automated identification system is used. RFID systems are simply an enabling technology. The power of the system lies within the information system using the captured data.

When RFID systems are used to store data other than the item’s unique identifier, security measures must be used to authenticate the data and its authors. It is incumbent upon the information system to authenticate the data and verify that the format and structure of the data are appropriate for the applications using it.

TR: What does the future hold?

DE: As RFID technologies become more widespread and available at lower costs, the likelihood of various attacks will increase. But the potential security attacks on RFID systems and the information systems that support them are well known and well understood by experts within the industry. There is a price to be paid to implement countermeasures. As the cost and frequency of successful attacks increases, more security features will be integrated into the RFID tags themselves and the information systems supporting them.

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Listen in as our editors talk to innovators from around the world.

  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.