RFID software a 'Pandora's box'

The drug industry is becoming too complacent about the safety of radio frequency identification (RFID) according to new research.

The work, published by experts at Vrije Universiteit Amsterdam in the Netherlands, shows how disturbingly easy it is to design an imperfect yet catastrophic virus that can wreak havoc in databases through the low-level misuse of improperly formatted RFID tag data.

In their paper '>Is Your Cat Infected With a Computer Virus?', researchers warn that the security breaches that RFID deployers dread most, like malware, worms, and viruses, are right around the corner, since the technology is still too expensive for mass implementation across the entire drug supply chain, so too much emphasis has been paid to making RFID affordable while neglecting safety.

Fighting counterfeit drugs has been one of RFID's main selling points and conventional wisdom has suggested that computer viruses cannot spread through RFID tags because their chips have too little memory.

But the paper warns that this perception exists simply because RFID exploits have not yet appeared "in the wild", and that RFID installations have a number of characteristics, such as lots of source code and generic protocols and facilities, that make them outstanding candidates for exploitation by malware.

To demonstrate this, researchers created the first-ever self-replicating RFID virus which uses a tag to exploit middleware systems and spread through other tags when they are scanned.

Middleware is software which contains the logic of the RFID application and a backend database system, for example Oracle or MySQL, for storing information about the tags.

Calling RFID middleware a "Pandora's box", the paper points out that its exploitation requires more ingenuity than resources, since a very small change on-tag RFID data can exploit security holes in RFID middleware, subverting its security, and perhaps even compromising an entire network.

Not only can RFID data be read by unauthorised devices or spoofed to create forgeries, but it can also be corrupted and infected using a virus, typically so simple, that Patrick Simpson, a master's student at the university, took only four hours to write.

"The virus exploits the same problems that hackers exploit when they use the internet and the RFI industry is giving a mixed reaction, as if old problems have been solved already - they haven't," Melanie Rieback, one of the paper's authors, told In-PharmaTechnologist.com.

"This paper has done a good job of waking the world up, particularly the pharmaceutical industry, where you can rely on a computer chip to hold data worth tens of thousands of dollars."

There are three main ways in which RFID middleware can be exploited; buffer overflows, which are the most common and occur as a result of improper use of computer language, inserting a malicious code and SQL injection that tricks the system's database.

Thus, to prevent RFID exploits, the middleware should be bug free and not allow SQL injection, buffer overflow, and similar attacks.

The paper urges developers to armour their systems to limit the damage that is caused once hackers start experimenting with RFID exploits, worms, and viruses on a larger scale.

The spread of RFID malware is likely to see increasing cat-and-mouse activity between hackers and developers, so pharmaceutical manufacturers need to decide whether they are game - and fast.