Are RFID Tags Vulnerable to Viruses?

Virus check in aisle four!

It’s unlikely you will hear that in your local supermarket anytime soon. But retailers and vendors involved in wireless RFID tagging are concerned that the tagging devices may provide a direct line through the supply chain for viruses and malicious code.

Such injections would be hard to track and even harder to stop.

This, say experts, is because radio frequency ID (RFID) tags number in the billions, and the information that is captured or transmitted by these small devices usually does not travel through the same protected screens and firewalls as conventional wireless data traffic.

A report released this week by researchers at Vrije University in Amsterdam heightened concern about RFID and viruses.

It said that RFID tags could be used as a medium to transmit a computer virus that might eventually bring an entire system to its knees. The report also noted that the limited storage buffer of an RFID tag — typically ranging from 90 to just over 100 bytes — offers just enough legroom for damaging code to hide out and wait for a connection to the network.

Wal-Mart and the Department of Defense are among the heavey users of RFID. So if RFID technology can be easily compromised, then this is a serious concern.

Of course any sort of digital technology that is networked can be infringed upon or corrupted with malicious intent, Srini Krishnamurthy, vice president of Strategy & Business Development for Airbee Wireless, told

“Although read-only and, in some cases, read/write, RFID data lives in the same environment that viruses and worms permeate on the Internet.”

Tags that have been tampered with “can introduce errors which could spread and create chaos until it gets noticed,” he added. “Airline baggage tags are a good example of that scenario and an attractive target.”

Norm Laudermilch, CTO of Trust Digital, said it doesn’t take much malicious code to do things like a SQL injection or take advantage of vulnerabilities in a PHP Web site.

Plugging the holes in RFID technology may not be all that difficult, however. There is currently a “very short list” of vendors that focus on interactions with RFID tags, Laudermilch said.

So it wouldn’t be hard to get them all to agree on a protective plan of action, he added. Middleware programming can also be created fairly rapidly to check for such things as buffer overflow and strange bits of coding on a tag.

“The vulnerability is highly system-dependant,” said Andrew Jones, business development manager with Intrinsyc Software and an expert in RFID systems and wireless kiosks.

“If there are exploitable vulnerabilities, they could only be taken advantage of if the supply chain management systems were using particular tags in a very particular way.”

Most major manufacturers worldwide have embraced RFID tagging as a means to track shipments, control costs and extend “just-in-time” manufacturing principles right to the customer.

Wal-Mart is one of the more high-profile users since it was the first to demand that all its suppliers eventually use RFID tags and coding on the products offered through this retail chain.

So far, the results are positive. FID tagging is credited with reducing out-of-stock merchandise and excess inventory by up to 16 percent, according to an independent study.

The U.S. Department of Defense is also a heavy user of RFID tags, as are many airports throughout the country that use the technology to track everything from luggage to passengers.

News Around the Web