RFID Worms - Fact or Fiction?  
Posted by Gunter Ollmann on October 16, 2007 at 10:10 PM EDT.

A few weeks ago IBM ISS worked with the Georgia Tech Information Security Center (GTISC) to release a paper entitled “Emerging Cyber Threats Report for 2008”.  As one of the contributors to the report I subsequently received a number of enquiries concerning some of the content; particularly the RFID security threats.

First of all, you’d have thought that a technology as ubiquitous as RFID would hold few security secrets or concerns – after all, most of us have been living with the technology for several decades already.  But that most certainly doesn’t appear to be the case. 

While there has been plenty of concern over consumer privacy aspects of RFID use in the retail sector, it looks like only the attendees of conferences such as BlackHat and Defcon have seen some of the darker side of what could be possible in the world of RFID hacking.

The RFID Worm

Without digressing too far, in one thoughtful conversation a link was made to RFID-based malware – worms in particular.  From what I understand, sometime last year there was a lot of press attention in Germany about the possibility of an RFID worm threat (and subsequent consumer fear).  But at the time of the conversation I hadn’t really given much thought to worms.

A quick Google revealed an article published in New Scientist entitled “RFID worm created in the lab” and an entire Web site dedicated to the subject –

Anyhow, I’ve been reviewing some of the material that has been published over the last couple of years and coupled that with some other research I’ve been involved in more recently.  The conclusion I’ve arrived at is that while it is technically possible to create a RFID-based worm under lab conditions, I really don’t see it as a threat that needs worrying about today.  In fact I’d say it’s more hype than anything real.

Now, don’t get me wrong.  The nature of the security threats facing RFID technologies shouldn’t be underestimated.  Today’s more sophisticated RFID deployments are already being closely scrutinized (by all types of security researcher), and many vulnerabilities have been uncovered.  However, they are unlikely to be leveraged in worm-like fashion to formulate an attack. 

In the future – as the myriad of vendor proprietary RFID communication protocols consolidate and implementers widely adopt ISO-based standards – I can see the opportunity for worm-based propagation to become increasingly feasible outside of ideal lab conditions and actually reap some notable level of damage.  But, to be perfectly honest, I can’t see why anyone would bother to launch an RFID attack that way.  We’ve already seen traditional worm-based malware steadily diminish as a corporate threat as their malicious authors shift to more profit-motivated attacks.  So, by the time enough industries have adopted and implemented inter-enterprise standards-based RFID systems (over the next few years), I doubt that there will be much call for worms as such.

However, the other security threats to RFID implementations are still very real and we should pay close attention to them. 

Fact not fiction

While great play has been made of breaking the various protection systems of existing tag formats along with the cloning of ‘unique’ tags, I think that the real threat – the one that will “bite you in the arse” – actually lies within the middleware.

In essence, a lot of the “security” built in to the various RFID protocols and products has been focused at the RF Tag and RF Reader level. Meanwhile, too little consideration has been given to the nature of the data contained within the tags and how it will be interpreted by the software that interfaces with backend systems.  If I had to liken it to anything, I’d draw parallels with the early days of Web application development.

Web attack parallels

A decade ago the first few generations of Web application design assumed that locking down the type of data a user could physically input through the browser interface (and performing client-side validation) would be good enough.  However, with very little effort, malicious users quickly discovered plenty of ways to bypass these rudimentary client-side validation processes and could subsequently submit data that would interpreted by the Web application and backend systems entirely differently.  The age of code-insertion, cross-site scripting and SQL injection was born.

Unfortunately, it appears to me that RFID is following exactly the same path to “security enlightenment”, and we’re already observing classic SQL injection flaws appearing in some technology implementations.  A concern that I have is that we’re now talking about a physical implementation of a “trusted” technology (think of huge international supply chain operations), which will make it much more expensive and difficult to fix in the future.

RFID is fast becoming a hot security research topic.  While most of the world is distracted with the security intricacies of Web 2.0, the last couple of years have seen quite a few innovative (and downright scary) conference talks on busting RFID security technologies.  As the latest round of RFID ISO standards get widely adopted, and tag manufacturing prices drop to a few cents, we’re all expecting an explosion in new deployments and innovative use. 

Look out world.  It may not be an RFID worm coming your way, but practically every other hack will be.

    Copyright 2001-2007 © Gunter Ollmann