[IP] NYT on RFID Viruses

To: ip@xxxxxxxxxxxxxx
Subject: [IP] NYT on RFID Viruses
From: David Farber <dave@xxxxxxxxxx>
Date: Wed, 15 Mar 2006 14:09:12 -0500
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <6.2.0.14.2.20060315102712.03c38d80@xxxxxxxxxxx>
Reply-to: dave@xxxxxxxxxx



Begin forwarded message:

From: Ross Stapleton-Gray <amicus@xxxxxxxx>
Date: March 15, 2006 2:02:14 PM EST

To: Dave Farber <dave@xxxxxxxxxx>, "johnmac's living room"<johnmacsgroup@xxxxxxxxxxxxxxx>

Subject: NYT on RFID Viruses

John Markoff reports on a paper being presented today by researchersfrom the computer science department at Vrije Universiteit inAmsterdam, claiming that RFID tags can be infected with viruses:

http://www.nytimes.com/2006/03/15/technology/15tag.html

The examples given, though, seem rather fancifal, and there's a lotof blurring of technologies, e.g., Peter Neumann's quote that, "Itshouldn't surprise you that a system that is designed to bemanufactured as cheaply as possible is designed with no securityconstraints whatsoever," may be quite apt in describing earlygenerations of tags, e.g., where all they are are passive beaconsspitting out a unique serial to anyone who asks (hence aren'tconfidential, something like a screaming baby in a crowdedrestaurant), but it's a huge stretch to extrapolate from that thatlater tags will be easily "infectable," that readers will be shotthrough with buffer overflow errors, etc.

I think we'll find that the vast majority of RFID deployments arerather constrained... a baggage tag scanning system is going to spendall of its time, well, scanning bags. And that means looking for aspecific format, reading it, and ignoring anything that isn't whatyou're looking for. Could a particular flavor of RFID reader beingused in a baggage handling application have a buffer overflow bug?Perhaps, but easily checked. (And even were there such a fault,bootstrapping up into commandeering the baggage management systemseems pretty ambitious, and, again, probably pretty easily detected.)

What is true is that there a lot of areas of potential security andprivacy risks with RFID; some are inherent in the technology (e.g.,it's trivial to "counterfeit" a tag, for those tags intended to becheap and simple, but you don't rely on the tag ID being uncopyable,you assume it can be, and use such tags only for the same thingsyou'd use a print bar code for... retailers have had to deal withcustomers affixing bogus bar codes over real ones, and RFID will seethe same threats) and others arise from how we engineer systems.

Very buggy operating systems on PCs, and even now on cell phones,should certainly cause us to be aware of the threat of viruses, butI'd rate viruses-via-RFID as only a little more plausible thanpicking up a book in the library and having your DNA remapped byrandom As, Cs, Gs and Ts from the text...


Ross


----
Ross Stapleton-Gray, Ph.D.
Stapleton-Gray & Associates, Inc.
http://www.stapleton-gray.com
http://www.sortingdoor.com
ross@xxxxxxxxxxxxxxxxxx






-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] Wall St on Bell investments and Net Neutrality
Next by Date: [IP] TV Stations Fined Over CBS Show Deemed to Be Indecent
Previous by thread: [IP] Wall St on Bell investments and Net Neutrality
Next by thread: [IP] TV Stations Fined Over CBS Show Deemed to Be Indecent
Index(es):
- Date
- Thread