Friday, May 28, 2010

Inside the RFID 'virus' that 'infected a man'

Earlier this week the BBC reported on a man who had 'infected' himself with a computer virus. The story, of course, is rubbish. The man wasn't 'infected' with anything, he had simply reprogrammed a chip that had been inserted under his skin and then stated that the code in the chip could 'infect' a machine.

There's nothing at all surprising in this. The idea that one machine could infect another is just the run of the mill virus story. The idea that a piece of data (for that is what is stored in his subcutaneous chip) could cause a machine to misbehave is nothing new either: many, many attacks are based on subverting the difference between data and code to take control of machines.

So, the BBC should never have run with the story since it was sensationalist bollocks.

The story states: "In trials, Dr Gasson showed that the chip was able to pass on the computer virus to external control systems. If other implanted chips had then connected to the system they too would have been corrupted, he said." So what is this virus? I tried emailing the scientist involved, Dr Mark Gasson but have not received any response.

For coders the BBC did happily show two screen shots of the 'virus':

The top shot shows that ASCII version of the virus, and the bottom the hex. If we concentrate on the top shot we'll see that the contents of the virus on the chip are (I used § to indicate a character I can't read):

7220476173736§§§',NewProfile =(select SUBSTR(SQL_TEXT,1)FROM v$sql
WHERE INSTR(SQL_TEXT,'<script>window.location=""

So what you have is a SQL injection attack (note the first ' mark) which then executes a SQL statement (against an Oracle database because it's using the special v$sql table). The SQL itself is rather odd because it's looking for a piece of JavaScript <script>window.location=""</script> in the currently running database query and then returning the query.

Since I don't have access to the machine that is running this code this is where a guess is needed, but it look like he's causing the machine to insert JavaScript that will force a web browser to visit a site he owns

So, in summary, the sum total of this is that the RFID scanner has a SQL injection vulnerability. Big deal. SQL injection is everywhere, it hardly takes a 'researcher' to realize that unchecked input from the user (in this case in the form of a passive RFID tag) could have a consequence.

The entire demonstration stinks, and worse the BBC has reported on this type of vulnerability (the data in an RFID tag could corrupt a host system) four years ago in a sensible and calm manner. A quote from that article:

In their research paper Mr Tanenbaum and his colleagues Melanie Rieback and Bruno Crispo detail how to use RFID tags to spread viruses and subvert corporate databases.

"Everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software and certainly not in a malicious way. Unfortunately, they are wrong," wrote the trio in their research paper.

The researchers showed how to get round the limited computational abilities of the smart tags to use them as an attack vector and corrupt databases holding information about what a company has in storage. To test out the theory the group created a virus for a smart tag that used only 127 characters, uploaded it and watched it in action.

The sensible article which the BBC is talking about back in the 2006 is The Evolution of RFID Security.

PS Eagle eyed ASCII loving readers may have wondered about the block of hex code at the start of Dr Gasson's RFID tag: 4120 7§§§ 676e 206f 6620 7§§§ 696e 6773 2974 6§§§ 636f 6d65 202d 2§§§ 7220 4761 7373 6§§§. If, like me, you think this looks a lot like English text in ASCII you'd be right. It reads "A sign of things to come - Dr Gasson". So, Dr Gasson signed his 'virus'. All he needs is a leet h4x0r name to complete his transition to script kiddie.

Now script kiddie might seem a bit rude until you go back and look at the virus above. It's using a technique called "self referential SQL queries". Their use in 'infecting' RFID systems is detailed here and also in the 2006 paper Is your cat infected with a computer virus?.

So Dr Gasson's virus looks less and less clever: he used a four year old technique to infect a machine and got himself on the telly because he 'infected himself' (an audible gasp from the audience).

There's a nice description of how the attack works here. Notice the incredible similarity between Dr Gasson's 'virus' and the code on this page.

Oh, and by the way, v$sql isn't accessible unless the user is a database administrator. So you need a machine running as database administrator, and a SQL injection vulnerability to make this happen.

PPS What annoys me most about this story is that Dr Gasson didn't invent the clever bit (the self-referential SQL query), he just got himself on the telly with a bit of grandstanding four years after the original, interesting report on the subject.


Heds said...

I left Reading University's Cybernetics Department in 1997 with a degree of which I was proud.

Then Kevin Warwick started showboating. Now Gasson is.

I dread to think what employers think of new graduates from the department. Poor sods.

Hairy Sammoth said...

That's interesting - I joined the Reading University Cybernetics department in 1998, and quit in disgust one year later. It was an utterly abominable department - by the time I'd started a different degree, there was only one person left on my course. The rest had left.

Kevin Warwick is indeed a terrible joke and an embarrassment to hard-working scientists. Sad to see that although he finally managed to teach one of his students something, it ended up being his horrible PR-stunt media baiting bollocks. As soon as I read this headline I knew it was going to be the Reading Uni Cybernetics dept.

Richi Jennings said...

Also a Cyb grad of 1987. after which, Warwick took over from the much-loved Peter Fellgett (now sadly departed).

I went to an open day several years ago. It was all silly robot swarms and unoriginal RFID twaddle. Seems like nothing's changed.

ShawnM said...

Thank you for the article.
Today, when we almost have the Internet of Things it doesn't sound like fiction. Of course there will be viruses to infect electronic chips wherever they are because it will be profitable for some people. I know that idealsvdr is expecting this and ready to produce new solutions.