The technoblogosphere is abuzz with the news that a group of computer scientists at the Vrije Universiteit Amsterdam have determined that RFID tags could be used as carriers for computer viruses. The reportage on this study has been fairly overblown, a problem exacerbated by the researchers titling their report "Is Your Cat Infected With A Computer Virus?" (PDF). The real problem is both less frightening and more interesting than these reports suggest.
The extended entry contains a non-technical explanation of what the fuss is all about.
This research is an important reminder than any digital device that is both on a network and able to have its data changed by external action (even something as simple as receipt of an email) is a potential virus host. By and large, we've become accustomed to thinking about viruses on our desktop and laptop computers, but as previously "dumb" devices pick up networked smarts, we will have to broaden our awareness of a sometimes-hostile digital ecosystem. I would like to see all future discussions of (for example) "blogjects" acknowledge the virus issue, even in passing. If your refrigerator is on the Internet, somebody's going to try to write a virus for it.
Things will get even weirder as we move into the fabrication future. As we develop more sophisticated fabbers, it will be very important that we also develop the kinds of digital "immune systems" that would prevent the introduction of harmful code into the product design files. Not just to prevent the propagation of viruses on those computers, but to prevent the introduction of malicious (and hidden) hardware into the printed objects themselves! For example, imagine printing out a chair using a design that's been hacked to include hardware in the seat that could scan nearby credit cards and send them off over the network...
It looks like one of the unexpected results of the emergence of an "Internet of Things" is the need to think about the health of our material goods.
What the researchers determined was that RFID tags, which normally have less than a kilobyte of memory, could be used as carriers of computer viruses designed to infect the much larger computer systems used to read the tags. Once infected, the readers would then be able to pass the infection along by rewriting the RFID tags they scan. The tags themselves are just carriers; the real issue is the potential vulnerability of scanning computers to the commonplace types of attacks used by current viruses and network intruders (so-called "buffer overflows" and "malformed database queries"). The authors detail both the ways in which RFID tags could be made to carry both viruses and worms, as well as how to secure the scanning systems. In their paper (highly recommended to readers willing to endure a bit of tech jargon), they even document their real-world creation of RFID malware to test their own claims.
It's important to note that for any virus to infect the RFID scanning computers -- whether carried by a hacked RFID tag or otherwise -- the computer needs to be poorly-secured, and the software poorly-written. RFID scanning systems that don't have software holes would be immune. Sadly, the prevalence of viruses and similar attacks on regular computing systems demonstrates just how commonplace software holes can be.
An excellent post giving an insight to the news and an excellent viewpoint.