Experts refute RFID virus claims

LONDON — The trade association for automatic identification and mobility, AIM Global, attempted to refute key findings of an IEEE conference paper presented this week that suggested RFID tags could be used to corrupt databases and even spread computer viruses.

The paper, by Melanie Rieback, a third-year PhD student at Amsterdam's Vrije University, was presented at the IEEE conference in Pisa, Italy, on Wednesday (March 15), sent shock waves through the RFID industry.

Titled "Is Your Cat Infected with a Computer Virus?" the paper suggested computer viruses could spread from RFID tags through readers into poorly written middleware applications and backend systems and databases.

"Many of the basic assumptions in the paper overlook a number of fundamental design features necessary in automatic data collection systems and good database design," asserted AIM Global President Dan Mullen.

Mullen suggested that researchers built a system with a weakness and then proceeded to show how the weakness could be exploited. "Not surprisingly, poor system design, whether capturing RFID tag information, bar code information or keyboard-entered data, will create vulnerabilities."

The association said it recognizes the efforts of university researchers is designed to highlight RFID security issues. "But the methodology of this particular research is questionable,” added Mullen.

Responding to the paper, RFID experts and International Organization for Standardization scientists, meeting this week in Kyoto, Japan, to debate RFID standards, emphasized that fixed data RFID tags, such as those used to identify pets, cannot be changed and therefore are immune to infection by a virus.

They skirted the issue of whether other types of tags, such as those where data can be changed, are prone to attacks. The experts did note that specific attributes in RFID systems can protect the overall system.

1 of 2