The whole idea is not to infect the chip, but the reader.
The main problem is that people/RFID programmers nowadays tend to
implicitly trust things that are stored in the RFID chip. Once read, the
data from the RFID is assumed to be correct without any data checking.
This practice is problematic when you have no assurance of what is
actually stored in a foreign RFID chip.
For instance, it is not safe to assume that storing to the database is
harmless. One of a well known problem already identified and (hopefully)
well circulated in the web programming community is the infamous SQL
Injection. This also apply to the RFID case. Depending on what can be
stored in the RFID (which Sun can tell me hehe), some extend of SQL
commands can be stored into the chip as DATA to be read by the RFID
reader. The RFID reader, I suppose, should be treating the data decoded
to be a string (or array of characters). If no checking is done, and the
reader tries to read from the database the information related to the
tag ID (I am just guessing there is a tag ID in the RFID :P correct me
if I am wrong), something like the following is executed:
SELECT * FROM RFIDTABLE WHERE TAGID="";
where the part is the data read from RFID.
Normally, this should work and fetch all the data fields related to the
given Tag ID. However, consider if I am able to store in the RFID a
string of 3716273612\"; DELETE FROM RFIDTABLE;
then the SQL statement after decode becomes
SELECT * FROM RFIDTABLE WHERE TAGID="3716273612";
DELETE FROM RFIDTABLE;
Which is now TWO queries, the first one being a simple query while the
other one is to delete everything from the RFIDTABLE. You get the point
by now, right?
This is only one of the possibilities. Depending on the programming
language used, it is possible to exploit buffer overflow again, as has
been used countless times in the computer virus world.
Another possibility depends on the communication protocol that a (hand
held) reader communicates with the back-end system. A common choice
would be HTTP, like accessing a web-based application from a PDA that is
reading RFIDs. Now, again, everything that applies to web programming
applies here. The programmer on the PDA side may not be careful with the
data read, and pass directly to the backend via HTTP. Yet, the backend
programming may simply thinks that the PDA programmer won't cheat the
company by crafting wrong inputs to my scripts and do no checking at
all. This will allow easy code insertion in the form of javascript,
vbscript, etc. to the backend system.
All in all, when you do programming, reading data can mean code
execution, especially when you are doing scripting and database
languages, where you are passing dynamic string like commands around. A
good practice is to NEVER trust data external to your program.
Sun wrote:
> 我唔明
> RFID chip 入面既 data
> load 左入去 database
> 都係 data
>
> 你唔 execute 佢就應該冇事
> 有冇 CS 人可以答到得?
[科技新知]無線射頻辨識標籤易中毒,威脅安全--荷蘭科學家
3月 16日 星期四 13:09 更新
路透阿姆斯特丹電---荷蘭一大學的科學家周三稱,正在替代無所不在條碼的廉價
無線電晶片不僅威脅隱私,而且容易受到電腦病毒攻擊。
阿姆斯特丹自由大學(Free University)的研究人員製作了一個感染病毒的無線射
頻辨識(RFID)晶片以證明︰盡管這種廉價晶片的記憶體容量極低,但RFID系統仍很
容易受病毒攻擊。
研究說,問題在於RFID標籤一旦中毒,當穿過掃描門,以無線方式被讀取時,就可
能感染正在處理晶片資訊的資料庫。
「研究RFID技術的每個人心裡都以為,僅把RFID標籤掃描一下不會改變後端軟體,
肯定不會給它帶來惡性影響。遺憾的是,他們錯了,」自由大學的科學家寫道。
「RFID標籤可能感染病毒,而這一病毒可以感染RFID軟體使用的後端資料庫,然後
又可從那兒輕易傳播給其他RFID標籤,」他們說。
他們表示,因此罪犯或激進分子可能使用感染過的RFID來破壞航空公司行李處理系
統,從而可能導致災難性後果。同一技術還可能被用來破壞超級市場的資料庫。
「這是為了敲響警鐘。我們要求RFID業界設計出安全的系統,」研究報告作者之一
塔嫩鮑姆接受電話採訪時說。
發明於50多年前的RFID技術正取得一些緩慢進展,但生產成本的制約仍在阻礙其大
規模進入市場。RFID微型晶片被推崇者譽為奇妙科技,因為它可望在購物和製造業
領域掀起一場革命。
從理論上講,日常生活中每樣東西都可用RFID無線網絡連接起來,每一件製成品都
可被追蹤監控。電腦科學家把RFID稱作「物品的網際網絡」,批評者則認為,這種
無線電標籤可能導致隱私權被肆意侵犯
--
No comments:
Post a Comment