Dutch computer science researchers have warned that viruses embedded in radio frequency identification (RFID) tags used in supply chains to track and trace goods are around the corner.
Although no viruses targeting RFID technology have been released live yet, according to the researchers at Vrije Universiteit Amsterdam in the Netherlands, the tags have several characteristics that could be engineered to exploit vulnerabilities in middleware and back-end databases.
They described RFID malware as a “Pandora's box that’s gathering dust in the corner of 'smart' warehouses and homes." The attacks can come in the form of an SQL injection or a buffer overflow attack, even though the tags themselves may only store a small bit of information, the paper said. For demonstration purposes, the researchers even created a proof-of-concept, self-replicating RFID virus.
One of the university students needed only four hours to write a virus small enough to fit on an RFID tag. The demonstration then used homegrown middleware connected to back-end databases from suppliers such as Oracle and Microsoft, along with open source databases such as MySQL and Postgres.
RFID offers significant potential for tracking and tracing in a number of sectors, especially in preventing counterfeiting in the pharmaceutical industry. It was probably only a matter of time before someone seriously queried its security.