## Friday, May 28, 2010

### Inside the RFID 'virus' that 'infected a man'

Earlier this week the BBC reported on a man who had 'infected' himself with a computer virus. The story, of course, is rubbish. The man wasn't 'infected' with anything, he had simply reprogrammed a chip that had been inserted under his skin and then stated that the code in the chip could 'infect' a machine.

There's nothing at all surprising in this. The idea that one machine could infect another is just the run of the mill virus story. The idea that a piece of data (for that is what is stored in his subcutaneous chip) could cause a machine to misbehave is nothing new either: many, many attacks are based on subverting the difference between data and code to take control of machines.

So, the BBC should never have run with the story since it was sensationalist bollocks.

The story states: "In trials, Dr Gasson showed that the chip was able to pass on the computer virus to external control systems. If other implanted chips had then connected to the system they too would have been corrupted, he said." So what is this virus? I tried emailing the scientist involved, Dr Mark Gasson but have not received any response.

For coders the BBC did happily show two screen shots of the 'virus':

The top shot shows that ASCII version of the virus, and the bottom the hex. If we concentrate on the top shot we'll see that the contents of the virus on the chip are (I used § to indicate a character I can't read):
41207§§§676e206f66207§§§696e677329746§§§636f6d65202d2§§§7220476173736§§§',NewProfile =(select SUBSTR(SQL_TEXT,1)FROM v$sqlWHERE INSTR(SQL_TEXT,'<script>window.location="http://kablamm.com"</script>',0)-- So what you have is a SQL injection attack (note the first ' mark) which then executes a SQL statement (against an Oracle database because it's using the special v$sql table). The SQL itself is rather odd because it's looking for a piece of JavaScript <script>window.location="http://kablamm.com"</script> in the currently running database query and then returning the query.

Since I don't have access to the machine that is running this code this is where a guess is needed, but it look like he's causing the machine to insert JavaScript that will force a web browser to visit a site he owns kablamm.com.

So, in summary, the sum total of this is that the RFID scanner has a SQL injection vulnerability. Big deal. SQL injection is everywhere, it hardly takes a 'researcher' to realize that unchecked input from the user (in this case in the form of a passive RFID tag) could have a consequence.

The entire demonstration stinks, and worse the BBC has reported on this type of vulnerability (the data in an RFID tag could corrupt a host system) four years ago in a sensible and calm manner. A quote from that article:

In their research paper Mr Tanenbaum and his colleagues Melanie Rieback and Bruno Crispo detail how to use RFID tags to spread viruses and subvert corporate databases.

"Everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software and certainly not in a malicious way. Unfortunately, they are wrong," wrote the trio in their research paper.

The researchers showed how to get round the limited computational abilities of the smart tags to use them as an attack vector and corrupt databases holding information about what a company has in storage. To test out the theory the group created a virus for a smart tag that used only 127 characters, uploaded it and watched it in action.

The sensible article which the BBC is talking about back in the 2006 is The Evolution of RFID Security.

PS Eagle eyed ASCII loving readers may have wondered about the block of hex code at the start of Dr Gasson's RFID tag: 4120 7§§§ 676e 206f 6620 7§§§ 696e 6773 2974 6§§§ 636f 6d65 202d 2§§§ 7220 4761 7373 6§§§. If, like me, you think this looks a lot like English text in ASCII you'd be right. It reads "A sign of things to come - Dr Gasson". So, Dr Gasson signed his 'virus'. All he needs is a leet h4x0r name to complete his transition to script kiddie.

Now script kiddie might seem a bit rude until you go back and look at the virus above. It's using a technique called "self referential SQL queries". Their use in 'infecting' RFID systems is detailed here and also in the 2006 paper Is your cat infected with a computer virus?.

So Dr Gasson's virus looks less and less clever: he used a four year old technique to infect a machine and got himself on the telly because he 'infected himself' (an audible gasp from the audience).

There's a nice description of how the attack works here. Notice the incredible similarity between Dr Gasson's 'virus' and the code on this page.