Is your cat infected with a computer virus?
Bruno Crispo2006
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
RFID systems as a whole are often treated with suspicion, but the input data received from individual RFID tags is implicitly trusted. RFID attacks are currently conceived as properly formatted but fake RFID data; however no one expects an RFID tag to send a SQL injection attack or a buffer overflow. This paper is meant to serve as a warning that data from RFID tags can be used to exploit back-end software systems. RFID middleware writers must therefore build appropriate checks (bounds checking, special character filtering, etc..), to prevent RFID middleware from suffering all of the well-known vulnerabilities experienced by the Internet. Furthermore, as a proof of concept, this paper presents the first self-replicating RFID virus. This virus uses RFID tags as a vector to compromise backend RFID middleware systems, via a SQL injection attack.
Key takeaways
- However, no one currently expects an RFID tag to send a SQL injection attack or a buffer over-
- RFID tag data storage limitations are not a problem for these attacks because it is possible to do quite a lot of harm in a very small amount of SQL [5].
- This particular RFID virus uses SQL injection to attack the backend RFID middleware systems.
- For example, the SQL injection payload could create and use stored procedures to infect RFID tags, while leaving the database tables unmodified.
- One way for our RFID virus to do this is to use a SQL quine.
Related papers
RFID malware: Design principles and examples
Pervasive and mobile …, 2006
This paper explores the concept of malware for Radio Frequency Identification (RFID) systems -including RFID exploits, RFID worms, and RFID viruses. We present RFID malware design principles together with concrete examples; the highlight is a fully illustrated example of a self-replicating RFID virus. The various RFID malware approaches are then analyzed for their effectiveness across a range of target platforms. This paper concludes by warning RFID middleware developers to build appropriate checks into their RFID middleware before it achieves wide-scale deployment in the real world.
RFID Exploitation and Countermeasures
ArXiv, 2021
Radio Frequency Identification (RFID) systems are among the most widespread computing technologies with technical potential and profitable opportunities in numerous applications worldwide. Further, RFID is the core technology behind the Internet of Things (IoT), which can accomplish the real-time transmission of information between objects without manual operation. However, RFID security has been taken for granted for several years, causing multiple vulnerabilities that can even damage human functionalities. The latest ISO/IEC 18000-63:2015 standard concerning RFID dates to 2015, and much freedom has been given to manufacturers responsible for making their devices secure. The lack of a substantial standard for devices that implement RFID technology creates many vulnerabilities that expose end-users to elevated risk. Hence, this paper gives the reader a clear overview of the technology, and it analyzes 23 well-known RFID attacks such as Reverse Engineering, Buffer Overflow, Eavesdrop...
SQLIA detection and prevention approach for RFID systems
While SQL injection attacks have been plaguing web application systems for years, the possibility of them affecting RFID systems was only identified very recently. However, very little work exists to mitigate this serious security threat to RFID-enabled enterprise systems. At the same time, the drop in RFID tag prices coupled with the increase in storage capacity of the tags have motivated users to store more and more data on the tags for ease of access. This in turn has increased the ability that attackers have of leveraging the tags to try and mount SQLIA based malware attacks on RFID systems thereby increasing the potential threat that RFID-enabled systems pose to the enterprise systems. In this paper, we propose a detection and prevention method from RFID tag-born SQLIA attacks. We have tested all possible types of dynamic queries that may be generated in RFID systems with all possible types of attacks that can be mounted on those systems. We present an analysis and evaluation of the proposed approach to demonstrate its effectiveness in mitigating SQLIA attack.
SQL infections through RFID
Journal in Computer Virology, 2007
Automatic identification and collection (AIDC) technologies have made the life of a man much easier on numerous platforms. Of the various such technologies the radio frequency identification devices (RFID) have become pervasive essentially because they can track from a greater physical distance than the rest. The back end that supports these RFID systems has always been working well until they encounter a sbadly-formatted RFID tag. There have hardly been any incidents where such tags, once identified by the back-end systems, can in fact wreak havoc via the interacting databases in the RFID infrastructure. Recently, there has been significant research in this area. In the previous work, the author managed to do an attack using a self-referential query on Linux, Oracle, and PHP. However, they have been unable to test it on SQL Server 2005. This paper differs from the previous work in the way that it extends the attack using a self-referential query to Windows, SQL Server 2005, and ASP with their respective latest updates installed. The query itself is more robust by making certain that the table can contain it.
Intrusion detection in RFID systems
2008
1 Abstract-In recent years, advances in Radio Frequency identification (RFID) technology has led to their widespread adoption in diverse applications such as object identification, access authorization, environmental monitoring and supply chain management. Although the increased proliferation of tags enables new applications, they also raise many unique and potentially serious security and privacy concerns. Security solutions in RFID systems need to be strengthened to ensure information integrity and to prevent hackers from exploiting the sensitive tag data. In this paper, we address the importance of intrusion detection security paradigm for RFID systems. We present an overview of state of the art in RFID security and investigate the limitations of traditional security solutions based on cryptographic primitives and protocols. We propose an RFID intrusion detection model that integrates information from RFID reader layer and middleware layer to detect anomalous behavior in the network, thus improving their resilience to security attacks.
Security in Low Cost RFID
2000
RFID systems, and indeed other forms of wireless technology, are now a pervasive form of computing. In the context of security and privacy, the most threatening (to privacy) and vulnerable (to insecurity) are the 'low cost RFID systems'. The problems are further aggravated by the fact that it is this form of RFID that is set to proliferate through various consumer goods supply chains throughout the world. This is occurring through the actions of multinational companies like Wal-Mart, Tesco, Metro UPS and of powerful government organizations such as the United States DOD (department of defence) and FDA (food and drug administration). This paper examines the security and privacy issues brought about by vulnerabilities of present low cost RFID systems and explore the security and privacy threats posed as a result of those vulnerabilities.
RFID Systems: A Survey on Security Threats and Proposed Solutions
Low-cost Radio Frequency Identification (RFID) tags affixed to consumer items as smart labels are emerging as one of the most pervasive computing technology in history. This can have huge security implications. The present article surveys the most important technical security challenges of RFID systems. We first provide a brief summary of the most relevant standards related to this technology. Next, we present an overview about the state of the art on RFID security, addressing both the functional aspects and the security risks and threats associated to its use. Finally, we analyze the main security solutions proposed until date.
Classifying RFID attacks and defenses
Information Systems Frontiers, 2010
systems are one of the most pervasive computing technologies with technical potential and profitable opportunities in a diverse area of applications. Among their advantages is included their low cost and their broad applicability. However, they also present a number of inherent vulnerabilities. This paper develops a structural methodology for risks that RFID networks face by developing a classification of RFID attacks, presenting their important features, and discussing possible countermeasures. The goal of the paper is to categorize the existing weaknesses of RFID communication so that a better understanding of RFID attacks can be achieved and subsequently more efficient and effective algorithms, techniques and procedures to combat these attacks may be developed.
A platform for RFID security and privacy administration
Proceedings of the …, 2006
This paper presents the design, implementation, and evaluation of the RFID Guardian, the first-ever unified platform for RFID security and privacy administration. The RFID Guardian resembles an ''RFID firewall,'' that monitors and controls access to RFID tags by combining a standard-issue RFID reader with unique RFID tag emulation capabilities. Our system provides a platform for both automated and coordinated usage of RFID security mechanisms, offering finegrained control over RFID-based auditing, key management, access control, and authentication capabilities. We have prototyped the RFID Guardian using off-the-shelf components, and our experience has shown that active mobile devices are a valuable tool for managing the security of RFID tags in a variety of applications, including protecting low-cost tags that are unable to regulate their own usage.
A Critical Analysis of RFID Security Protocols
22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008), 2008
RFID are small wireless devices which can be used for identification of objects and humans as well. Their acceptance has grown in past years and is expected to grow further. Due to reduction in cost of production RFID devices are being deployed in large numbers in supply chains (by Wal-Mart, etc.) In this paper we provide a comprehensive survey of various RFID authentication protocols proposed in the literature and classify them in different categories. We then study RFID authentication protocols having minimalist technique namely EMAP, LMAP and M2MAP. 1 confidentiality in communication between the tag and the reader. 2 reliability of the information on the RFID tag. 3 Anonymity to undesired and anonymous scanning of items or people.
Related papers
Security issues in RFID Middleware Systems: Proposed EPC implementation for network layer attacks
Transactions on Networks and Communications, 2014
Recently, Radio Frequency Identification (RFID) technology becomes very popular. Especially low-cost RFID tags are widely used in supply chain management. Due to lack of security considerations in simple RFID technology, performance optimization becomes quite important rather than securing the data transmitted over RFID media. Since security holes shown variety in RFID systems, this paper classifies the attacks that occurs in different layer of RFID models. The security enhanced EPC RFID middleware systems that are widely used in organizations and their vulnerabilities against Network Layer attacks are investigated in this research to clarify the actual impact of network layer attacks in RFID systems. This paper investigates the RFID middleware attacks and impact of possible integration of EPCglobal architecture to mitigate such attacks on RFID systems.
A Security Framework for Networked RFID
Theoretical Frameworks and Practical Applications, 2012
In the last decade RFID technology has become a major contender for managing large scale logistics operations and generating and distributing the massive amount of data involved in such operations. One of the main obstacles to the widespread deployment and adoption of RFID systems is the security issues inherent in them. This is compounded by a noticeable lack of literature on how to identify the vulnerabilities of a RFID system and then effectively identify and develop counter measures to combat the threats posed by those vulnerabilities. In this chapter, the authors develop a conceptual framework for analysing the threats, attacks, and security requirements pertaining to networked RFID systems. The vulnerabilities of, and the threats to, the system are identified using the threat model. The security framework itself consists of two main concepts: (1) the attack model, which identifies and classifies the possible attacks, and (2) the system model, which identifies the security requirements. The framework gives readers a method with which to analyse the threats any given system faces. Those threats can then be used to identify the attacks possible on that system and get a better understanding of those attacks. It also allows the reader to easily identify all the security requirements of that system and identify how those requirements can be met.
Policy-based SQLIA Detection and Prevention Approach for RFID Systems
While SQL injection attacks have been plaguing web application systems for years, the possibility of them affecting RFID systems was only identified very recently. However, very little work exists to mitigate this serious security threat to RFID-enabled enterprise systems. In this paper, we propose a policy-based SQLIA attack detection and prevention method for RFID systems. The proposed technique creates data validation and sanitization policies during content analysis and enforces those policies during runtime monitoring. We tested all possible types of dynamic queries that may be generated in RFID systems with all possible types of attacks that can be mounted on those systems. We present an analysis and evaluation of the proposed approach to demonstrate the effectiveness of the proposed approach in mitigating SQLIA attacks.
“Solutions for RFID Smart Tagged Card Security Vulnerabilities”
AASRI Procedia, 2013
ABSTRACT The use of Radio Frequency Identification (RFID) technology is seeing increasing use in all areas of industry. Companies and government agencies have implemented RFID solutions to make their inventory control systems more efficient. In the healthcare industry the technology is being used to saves patient lives by preventing medical misidentification, and mistreatment, to monitor medical equipment assets, and to track the administration of medication. In spite of all the benefits that RFID can provide to industry, there are glaring security concerns that come with its use. The paper will identify the security risks inherent in RFID technology and propose a framework to make smart tagged cards more secure using active tags and prevent the ability to clone tags or sniff data between the tag and reader. The proposed framework is specific to the tag and reader communication layer.
RF2ID: A Reliable Middleware Framework for RFID Deployment
2007
The reliability of RFID systems depends on a number of factors including: RF interference, deployment environment, configuration of the readers, and placement of readers and tags. While RFID technology is improving rapidly, a reliable deployment of this technology is still a significant challenge impeding widespread adoption. This paper investigates system software solutions for achieving a highly reliable deployment that mitigates inherent unreliability in RFID technology. We have developed (1) a virtual reader abstraction to improve the potentially error-prone nature of reader generated data (2) a novel path abstraction to capture the logical flow of information among virtual readers. We have designed and implemented an RFID middleware: RF 2 ID (Reliable Framework for Radio Frequency Identification) to organize and support queries over data streams in an efficient manner. Prototype implementation using both RFID readers and simulated readers using an empirical model of RFID readers show that RF 2 ID is able to provide high reliability and support path-based object detection.
Server Impersonation Attacks on RFID Protocols
Mobile Ubiquitous Computing, Systems, Services and …, 2008
We introduce server impersonation attacks, a practical security threat to RFID security protocols that has not previously been described. RFID tag memory is generally not tamper-proof for cost reasons. We show that, if a tag is compromised, such attacks can give rise to desynchronisation between server and tag in a number of existing RFID authentication protocols. We also describe possible countermeasures to this novel class of attacks.
Security Risks/Vulnerability in a RFID System and Possible Defenses
IGI Global eBooks, 2013
Remote technologies are changing our way of life. The radio frequency identification (RFID) system is a new technology which uses the open air to transmit information. This information transmission needs to be protected to provide user safety and privacy. Business will look for a system that has fraud resilience to prevent the misuse of information to take dishonest advantage. The business and the user need to be assured that the transmitted information has no content which is capable of undertaking malicious activities. Public awareness of RFID security will help users and organizations to understand the need for security protection. Publishing a security guideline from the regulating body and monitoring implementation of that guideline in RFID systems will ensure that businesses and users are protected. This chapter explains the importance of security in a RFID system and will outline the protective measures. It also points out the research direction of RFID systems.
A Layered Approach to Design of Light-Weight Middleware Systems for Mobile RFID Security (SMRM: Secure Mobile RFID Middleware System)
Network Operations and …, 2006
technology is practically applied to a number of logistics processes as well as asset management, and R+I-is also e?pected to be permeated in our daily life with the name of @Abiquitous ComputingC or @Abiquitous DetworkC within the near future. The RH-groups in global now have paid attention to integrate R+Iwith mobile devices as well as to associate with the e?isting mobile telecommunication network. Juch a converged technology and services would lead to make new markets and research challenges. Kowever, the privacy violation on tagged products has become stumbling block. We propose a light-weight security mechanism which is constructed by mobile R+I-security mechanism based on WINI (Wireless Internet Nlatform for Interoperability). WINI-based light-weight mobile R+I-security platform can be applicable to various mobile R+I-services that have strong security requirements in mobile environments. ()*+,%-#./.0,"12).34567.34567.85957.:)';%1$*7<=4..>??0@A.
Enumerating RFID networks
Proceedings of the Southwest Decision Sciences Institute, 2011
Organizations that adopt RFID can have tremendous gains in both efficiency and effectiveness. However, when viruses, worms, spyware, Trojan horses, and hackers target these resources, the organization can cease to function. Therefore, RFID-based networks should therefore be secure, private, and separate from other computing resources. It is important to remember that while RFID is just a tag, the tag, the reader, and the infrastructure can all be compromised. This paper examines the threats that can occur against the RFID reader and backend systems, as well as the effect of rogue readers.
Classification of RFID attacks
Gen, 2010
RFID (Radio Frequency Identification) systems are emerging as one of the most pervasive computing technologies in history due to their low cost and their broad applicability. Although RFID networks have many advantages, they also present a number of inherent vulnerabilities with serious potential security implications. This paper develops a structural methodology for risks that RFID networks face by developing a classification of RFID attacks, presenting their important features, and discussing possible countermeasures. The goal of the paper is to categorize the existing weaknesses of RFID systems so that a better understanding of RFID attacks can be achieved and subsequently more efficient and effective algorithms, techniques and procedures to combat these attacks may be developed.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.