SQL infections through RFID
Andrew Sung2007, Journal in Computer Virology
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
Automatic identification and collection (AIDC) technologies have made the life of a man much easier on numerous platforms. Of the various such technologies the radio frequency identification devices (RFID) have become pervasive essentially because they can track from a greater physical distance than the rest. The back end that supports these RFID systems has always been working well until they encounter a sbadly-formatted RFID tag. There have hardly been any incidents where such tags, once identified by the back-end systems, can in fact wreak havoc via the interacting databases in the RFID infrastructure. Recently, there has been significant research in this area. In the previous work, the author managed to do an attack using a self-referential query on Linux, Oracle, and PHP. However, they have been unable to test it on SQL Server 2005. This paper differs from the previous work in the way that it extends the attack using a self-referential query to Windows, SQL Server 2005, and ASP with their respective latest updates installed. The query itself is more robust by making certain that the table can contain it.
Related papers
SQLIA detection and prevention approach for RFID systems
While SQL injection attacks have been plaguing web application systems for years, the possibility of them affecting RFID systems was only identified very recently. However, very little work exists to mitigate this serious security threat to RFID-enabled enterprise systems. At the same time, the drop in RFID tag prices coupled with the increase in storage capacity of the tags have motivated users to store more and more data on the tags for ease of access. This in turn has increased the ability that attackers have of leveraging the tags to try and mount SQLIA based malware attacks on RFID systems thereby increasing the potential threat that RFID-enabled systems pose to the enterprise systems. In this paper, we propose a detection and prevention method from RFID tag-born SQLIA attacks. We have tested all possible types of dynamic queries that may be generated in RFID systems with all possible types of attacks that can be mounted on those systems. We present an analysis and evaluation of the proposed approach to demonstrate its effectiveness in mitigating SQLIA attack.
Policy-based SQLIA Detection and Prevention Approach for RFID Systems
While SQL injection attacks have been plaguing web application systems for years, the possibility of them affecting RFID systems was only identified very recently. However, very little work exists to mitigate this serious security threat to RFID-enabled enterprise systems. In this paper, we propose a policy-based SQLIA attack detection and prevention method for RFID systems. The proposed technique creates data validation and sanitization policies during content analysis and enforces those policies during runtime monitoring. We tested all possible types of dynamic queries that may be generated in RFID systems with all possible types of attacks that can be mounted on those systems. We present an analysis and evaluation of the proposed approach to demonstrate the effectiveness of the proposed approach in mitigating SQLIA attacks.
R.: Information confinement, privacy, and security in RFID systems
2016
Abstract. This paper describes an identification and authentication protocol for RFID tags with two contributions aiming at enhancing the security and privacy of RFID based systems. First, we assume that some of the servers storing the infor-mation related to the tags can be compromised. In order to protect the tags from potentially malicious servers, we devise a technique that makes RFID identifi-cation server-dependent, providing a different unique secret key shared by each pair of tag and server. The proposed solution requires the tag to store only a sin-gle secret key, regardless of the number of servers, thus fitting the constraints on tag’s memory. Second, we provide a probabilistic tag identification scheme that requires the server to perform simple bitwise operations, thus speeding up the identification process. The proposed tag identification protocol assures privacy, mutual authentication and resilience to both DoS and replay attacks. Finally, each of the two schemes descr...
RFID Exploitation and Countermeasures
ArXiv, 2021
Radio Frequency Identification (RFID) systems are among the most widespread computing technologies with technical potential and profitable opportunities in numerous applications worldwide. Further, RFID is the core technology behind the Internet of Things (IoT), which can accomplish the real-time transmission of information between objects without manual operation. However, RFID security has been taken for granted for several years, causing multiple vulnerabilities that can even damage human functionalities. The latest ISO/IEC 18000-63:2015 standard concerning RFID dates to 2015, and much freedom has been given to manufacturers responsible for making their devices secure. The lack of a substantial standard for devices that implement RFID technology creates many vulnerabilities that expose end-users to elevated risk. Hence, this paper gives the reader a clear overview of the technology, and it analyzes 23 well-known RFID attacks such as Reverse Engineering, Buffer Overflow, Eavesdrop...
Intrusion detection in RFID systems
2008
1 Abstract-In recent years, advances in Radio Frequency identification (RFID) technology has led to their widespread adoption in diverse applications such as object identification, access authorization, environmental monitoring and supply chain management. Although the increased proliferation of tags enables new applications, they also raise many unique and potentially serious security and privacy concerns. Security solutions in RFID systems need to be strengthened to ensure information integrity and to prevent hackers from exploiting the sensitive tag data. In this paper, we address the importance of intrusion detection security paradigm for RFID systems. We present an overview of state of the art in RFID security and investigate the limitations of traditional security solutions based on cryptographic primitives and protocols. We propose an RFID intrusion detection model that integrates information from RFID reader layer and middleware layer to detect anomalous behavior in the network, thus improving their resilience to security attacks.
Security in Low Cost RFID
2000
RFID systems, and indeed other forms of wireless technology, are now a pervasive form of computing. In the context of security and privacy, the most threatening (to privacy) and vulnerable (to insecurity) are the 'low cost RFID systems'. The problems are further aggravated by the fact that it is this form of RFID that is set to proliferate through various consumer goods supply chains throughout the world. This is occurring through the actions of multinational companies like Wal-Mart, Tesco, Metro UPS and of powerful government organizations such as the United States DOD (department of defence) and FDA (food and drug administration). This paper examines the security and privacy issues brought about by vulnerabilities of present low cost RFID systems and explore the security and privacy threats posed as a result of those vulnerabilities.
SQL (Structured Query Language) Injection Attack inside DBMS with Novel Methodologies
2021
Databases are utilized in many facets of your everyday life because they allow data to be saved fast and conveniently. SQL injection is a code injection approach for attacking data-driven systems that involves inserting sql Queries into an entry field for implementation (e.g., to dump the database contents to the attacker). Sql vulnerability are most commonly caused by a lack of due diligence when they are implemented. In this research, we present SQL injection prevention method, a DBMS detection and mitigation technique that can also aid in the detection of attackers. We create an online shopping application to apply the SQL injection prevention method. The most typical source of database problems is a lack of due diligence at the time when the database was created. The customer has the option of browsing these items by category. A user can add a purchase to his or her shopping basket if he or she likes it. If a person wants to check out, he must first register on the site. After t...
Ased on Rfid S Ystem
2012
In this paper we analyze an authentication protocol so-called Pasargad which proposed by Arjemand et al. [1]. The Pasargad protocol is a distance bounding protocol which has been designed for RFID-based electronic voting systems. The designers have claimed that this protocol is more secure than Preneel and Single protocol [2], against relay attacks. However, in this paper, we present some efficient attacks against it. Our attacks include conditional impersonation attack and recovery key attack. Moreover, we show that this protocol has some structural flaw which may prevent to execution the protocol.
A Framework for Assessing RFID System Security and Privacy Risks
IEEE Pervasive Computing, 2000
Classifying RFID attacks and defenses
2010
RFID (Radio Frequency Identification) systems are one of the most pervasive computing technologies with technical potential and profitable opportunities in a diverse area of applications. Among their advantages is included their low cost and their broad applicability. However, they also present a number of inherent vulnerabilities. This paper develops a structural methodology for risks that RFID networks face by developing a classification of RFID attacks, presenting their important features, and discussing possible countermeasures. The goal of the paper is to categorize the existing weaknesses of RFID communication so that a better understanding of RFID attacks can be achieved and subsequently more efficient and effective algorithms, techniques and procedures to combat these attacks may be developed.
Related topics
Related papers
RFID malware: Design principles and examples
Pervasive and mobile …, 2006
This paper explores the concept of malware for Radio Frequency Identification (RFID) systems -including RFID exploits, RFID worms, and RFID viruses. We present RFID malware design principles together with concrete examples; the highlight is a fully illustrated example of a self-replicating RFID virus. The various RFID malware approaches are then analyzed for their effectiveness across a range of target platforms. This paper concludes by warning RFID middleware developers to build appropriate checks into their RFID middleware before it achieves wide-scale deployment in the real world.
Security Risks/Vulnerability in a RFID System and Possible Defenses
IGI Global eBooks, 2013
Remote technologies are changing our way of life. The radio frequency identification (RFID) system is a new technology which uses the open air to transmit information. This information transmission needs to be protected to provide user safety and privacy. Business will look for a system that has fraud resilience to prevent the misuse of information to take dishonest advantage. The business and the user need to be assured that the transmitted information has no content which is capable of undertaking malicious activities. Public awareness of RFID security will help users and organizations to understand the need for security protection. Publishing a security guideline from the regulating body and monitoring implementation of that guideline in RFID systems will ensure that businesses and users are protected. This chapter explains the importance of security in a RFID system and will outline the protective measures. It also points out the research direction of RFID systems.
Enumerating RFID networks
Proceedings of the Southwest Decision Sciences Institute, 2011
Organizations that adopt RFID can have tremendous gains in both efficiency and effectiveness. However, when viruses, worms, spyware, Trojan horses, and hackers target these resources, the organization can cease to function. Therefore, RFID-based networks should therefore be secure, private, and separate from other computing resources. It is important to remember that while RFID is just a tag, the tag, the reader, and the infrastructure can all be compromised. This paper examines the threats that can occur against the RFID reader and backend systems, as well as the effect of rogue readers.
Rfid Technology, Privacy and Security Udc 65.011.56
2010
Every day, people interact directly with a Radio Frequency Identification (RFID) device (tag), buying a product or accessing some desired place. The tag can then be interrogated via radio waves by an RFID reader to return a small amount of information, such as an identification code or personal data. Also, the RFID technology is very useful for supplying chain management, item tracking and other areas. At the same time, the RFID technology raises privacy and security issues. For example, applying RFID tags to individual items raises the possibility that the movement of these items can be tracked, or that individuals can be scanned to learn what items they carry. Many other examples can be named to illustrate problems arising from undesired uses of the RFID data. This paper presents some issues that can be very helpful for overcoming the above mentioned problems.
Server Impersonation Attacks on RFID Protocols
Mobile Ubiquitous Computing, Systems, Services and …, 2008
We introduce server impersonation attacks, a practical security threat to RFID security protocols that has not previously been described. RFID tag memory is generally not tamper-proof for cost reasons. We show that, if a tag is compromised, such attacks can give rise to desynchronisation between server and tag in a number of existing RFID authentication protocols. We also describe possible countermeasures to this novel class of attacks.
Information confinement, privacy, and security in RFID systems
Computer Security–ESORICS 2007, 2007
This paper describes an identification and authentication protocol for RFID tags with two contributions aiming at enhancing the security and privacy of RFID based systems. First, we assume that some of the servers storing the information related to the tags can be compromised. In order to protect the tags from potentially malicious servers, we devise a technique that makes RFID identification server-dependent, providing a different unique secret key shared by each pair of tag and server. The proposed solution requires the tag ...
Classification of RFID attacks
Gen, 2010
RFID (Radio Frequency Identification) systems are emerging as one of the most pervasive computing technologies in history due to their low cost and their broad applicability. Although RFID networks have many advantages, they also present a number of inherent vulnerabilities with serious potential security implications. This paper develops a structural methodology for risks that RFID networks face by developing a classification of RFID attacks, presenting their important features, and discussing possible countermeasures. The goal of the paper is to categorize the existing weaknesses of RFID systems so that a better understanding of RFID attacks can be achieved and subsequently more efficient and effective algorithms, techniques and procedures to combat these attacks may be developed.
Privacy and Security Aspects of RFID Tags
2005
RFID has recently received a lot of attention as an augmentation technology in manufacturing, SCM and retail inventory control. However, widespread deployment of RFID tags may create new threats to security and privacy of individuals and organizations. This paper gives an overview of all types of RFID privacy and security problems and its countermeasures.
“Solutions for RFID Smart Tagged Card Security Vulnerabilities”
AASRI Procedia, 2013
ABSTRACT The use of Radio Frequency Identification (RFID) technology is seeing increasing use in all areas of industry. Companies and government agencies have implemented RFID solutions to make their inventory control systems more efficient. In the healthcare industry the technology is being used to saves patient lives by preventing medical misidentification, and mistreatment, to monitor medical equipment assets, and to track the administration of medication. In spite of all the benefits that RFID can provide to industry, there are glaring security concerns that come with its use. The paper will identify the security risks inherent in RFID technology and propose a framework to make smart tagged cards more secure using active tags and prevent the ability to clone tags or sniff data between the tag and reader. The proposed framework is specific to the tag and reader communication layer.
A Security Framework for Networked RFID
Theoretical Frameworks and Practical Applications, 2012
In the last decade RFID technology has become a major contender for managing large scale logistics operations and generating and distributing the massive amount of data involved in such operations. One of the main obstacles to the widespread deployment and adoption of RFID systems is the security issues inherent in them. This is compounded by a noticeable lack of literature on how to identify the vulnerabilities of a RFID system and then effectively identify and develop counter measures to combat the threats posed by those vulnerabilities. In this chapter, the authors develop a conceptual framework for analysing the threats, attacks, and security requirements pertaining to networked RFID systems. The vulnerabilities of, and the threats to, the system are identified using the threat model. The security framework itself consists of two main concepts: (1) the attack model, which identifies and classifies the possible attacks, and (2) the system model, which identifies the security requirements. The framework gives readers a method with which to analyse the threats any given system faces. Those threats can then be used to identify the attacks possible on that system and get a better understanding of those attacks. It also allows the reader to easily identify all the security requirements of that system and identify how those requirements can be met.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.