A group of Dutch researchers have demonstrated that it is possible to insert malicious code into an RFID chip at an RF-ID conference 15 March 2006 in Pisa, Italy. Their paper, “Is Your Cat Infected with a Computer Virus?” (pdf). Their paper said:

“RFID malware is a Pandora’s Box that has been gathering dust in the corner of our ’smart’ warehouses and homes. RFID exploits have not yet appeared in the wild. So people conveniently figure that the power constraints faced by RFID tags make RFID installations invulnerable to such attacks.”

But the trade association for RF-ID, AIM Global, says it isn’t so:

“Many of the basic assumptions in the paper overlook a number of fundamental design features necessary in automatic data collection systems and good database design,” says AIM Global president, Dan Mullen.

“In other words, the researchers built a system with a weakness and then proceeded to show how the weakness could be exploited. Not surprisingly, poor system design, whether capturing RFID tag information, bar code information or keyboard-entered data, will create vulnerabilities.”

British firm Sophos, an anti-virus firm, claimed that viruses can’t be spread through RFID tags and the “sky is not falling”.

The RFID Guardian Project is a collaborative project focused upon providing security and privacy in Radio Frequency Identification (RFID) systems.

Business Week,
The BBC,
New Scientist and
RF-ID Journal have more.

One application of RF-ID is traffic toll lane cards. Boston and Los Angeles explore the challenges and benefits of implementing a smart-card fare collection system.

In our research, we have discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be (intentionall) infected with a virus and this virus can infect the backend database used by the RFID software. From there it can be easily spread to other RFID tags. No one thought this possible until now. Later in this website we provide all the details on how to do this and how to defend against it in order to warn the designers of RFID systems not to deploy vulnerable systems.

While we have some hesitation in giving the “bad guys” precise information on how to infect RFID tags, it has been our experience that when talking to people in charge of RFID systems, they often dismiss security concerns as academic, unrealistic, and unworthy of spending any money on countering, as these threats are merely “theoretical.” By making code for RFID “malware” publicly available, we hope to convince them that the problem is serious and had better be dealt with, and fast. It is a lot better to lock the barn door while the prize race horse is still inside than to deal with the consequences of not doing so afterwards.

Link to RFID Viruses and Worms page, Link to BBC News report (Thanks, KVH!)

UPDATE: Ben Giddings of ThingMagic, who is only speaking as an “annoyed engineer” not a ThingMagic representative, says this is all a bunch of hooey:

The “RFID Virus” is absolutely laughable.

If you read the “paper”, here’s what they do:

1. Construct an RFID middleware system, intentionally design it to have some really obvious security flaws, ones that even most basic web developers know to avoid, namely the two security no-nos of implicitly trusting external data, and treating data as code.

2. Knowing the exact nature of those two obvious security flaws, including the exact implementation of the flaws, send malicious data that exploits those flaws.

This is so laughably stupid, but somehow it got picked up by the news outlets because it contains buzzwords: “RFID” and “Virus”.

Really, what they’re doing is the equivalent of:

1. Designing a barcode system to automatically self-destruct if it ever reads a barcode of 1337 1337, for no reason other than to prove it’s dangerous.
2. Broadcasting to the world that the barcode system will self-destruct if it ever reads a barcode of 1337 1337.
3. Intentionally reading a barcode of 1337 1337.
4. Claiming that barcodes are dangerous.

RFID Tags, just like barcodes are just data. Nothing more than data. If you intentionally design a system to be vulnerable to certain data, then intentionally expose the system to that data, then yup, you’ll have a problem.

I’m surprised the music industry hasn’t tried this with MP3s. Design a MP3 player that will format your hard drive if it sees a certain often-downloaded song, download that song, show the drive getting formatted, then claim that MP3s are dangerous because they might format your hard drive.