Saturday, May 29, 2010

John Graham-Cumming: Inside the RFID 'virus' that 'infected a man'

John Graham-Cumming: Inside the RFID 'virus' that 'infected a man': "Friday, May 28, 2010
Inside the RFID 'virus' that 'infected a man'
Earlier this week the BBC reported on a man who had 'infected' himself with a computer virus. The story, of course, is rubbish. The man wasn't 'infected' with anything, he had simply reprogrammed a chip that had been inserted under his skin and then stated that the code in the chip could 'infect' a machine.

There's nothing at all surprising in this. The idea that one machine could infect another is just the run of the mill virus story. The idea that a piece of data (for that is what is stored in his subcutaneous chip) could cause a machine to misbehave is nothing new either: many, many attacks are based on subverting the difference between data and code to take control of machines.

So, the BBC should never have run with the story since it was sensationalist bollocks.

The story states: 'In trials, Dr Gasson showed that the chip was able to pass on the computer virus to external control systems. If other implanted chips had then connected to the system they too would have been corrupted, he said.' So what is this virus? I tried emailing the scientist involved, Dr Mark Gasson but have not received any response.

For coders the BBC did happily show two screen shots of the 'virus':



The top shot shows that ASCII version of the virus, and the bottom the hex. If we concentrate on the top shot we'll see that the contents of the virus on the chip are (I used § to indicate a character I can't read):


41207§§§676e206f66207§§§696e677329746§§§636f6d65202d2§§§
7220476173736§§§',NewProfile =(select SUBSTR(SQL_TEXT,1)FROM v$sql
WHERE INSTR(SQL_TEXT,'',0)--


So what you have is a SQL injection attack (note the first ' mark) which then executes a SQL statement (against an Oracle database because it's using the special v$sql table). The SQL itself is rather odd because it's looking for a piece of JavaScript in the currently running database query and then returning the query.

Since I don't have access to the machine that is running this code this is where a guess is needed, but it look like he's causing the machine to insert JavaScript that will force a web browser to visit a site he owns kablamm.com.

So, in summary, the sum total of this is that the RFID scanner has a SQL injection vulnerability. Big deal. SQL injection is everywhere, it hardly takes a 'researcher' to realize that unchecked input from the user (in this case in the form of a passive RFID tag) could have a consequence.

The entire demonstration stinks, and worse the BBC has reported on this type of vulnerability (the data in an RFID tag could corrupt a host system) four years ago in a sensible and calm manner. A quote from that article:


In their research paper Mr Tanenbaum and his colleagues Melanie Rieback and Bruno Crispo detail how to use RFID tags to spread viruses and subvert corporate databases.

'Everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software and certainly not in a malicious way. Unfortunately, they are wrong,' wrote the trio in their research paper.

The researchers showed how to get round the limited computational abilities of the smart tags to use them as an attack vector and corrupt databases holding information about what a company has in storage. To test out the theory the group created a virus for a smart tag that used only 127 characters, uploaded it and watched it in action.


The sensible article which the BBC is talking about back in the 2006 is The Evolution of RFID Security.

PS Eagle eyed ASCII loving readers may have wondered about the block of hex code at the start of Dr Gasson's RFID tag: 4120 7§§§ 676e 206f 6620 7§§§ 696e 6773 2974 6§§§ 636f 6d65 202d 2§§§ 7220 4761 7373 6§§§. If, like me, you think this looks a lot like English text in ASCII you'd be right. It reads 'A sign of things to come - Dr Gasson'. So, Dr Gasson signed his 'virus'. All he needs is a leet h4x0r name to complete his transition to script kiddie.

Now script kiddie might seem a bit rude until you go back and look at the virus above. It's using a technique called 'self referential SQL queries'. Their use in 'infecting' RFID systems is detailed here and also in the 2006 paper Is your cat infected with a computer virus?.

So Dr Gasson's virus looks less and less clever: he used a four year old technique to infect a machine and got himself on the telly because he 'infected himself' (an audible gasp from the audience).

There's a nice description of how the attack works here. Notice the incredible similarity between Dr Gasson's 'virus' and the code on this page.

Oh, and by the way, v$sql isn't accessible unless the user is a database administrator. So you need a machine running as database administrator, and a SQL injection vulnerability to make this happen.

PPS What annoys me most about this story is that Dr Gasson didn't invent the clever bit (the self-referential SQL query), he just got himself on the telly with a bit of grandstanding four years after the original, interesting report on the subject.

Labels: rants and raves, security

posted by John Graham-Cumming at 08:35 Permalink
1 Comments:

Blogger Heds said...

I left Reading University's Cybernetics Department in 1997 with a degree of which I was proud.

Then Kevin Warwick started showboating. Now Gasson is.

I dread to think what employers think of new graduates from the department. Poor sods.
3:55 PM

Post a Comment
Links to this post:

<$BlogBacklinkTitle$>
<$BlogBacklinkSnippet$>
posted by <$BlogBacklinkAuthor$> @ <$BlogBacklinkDateTime$>

Create a Link

<< Home
Available Now

The Geek Atlas
With this unique traveler's guide, you'll learn about 128 destinations around the world where discoveries in science, mathematics, or technology occurred or is happening now. Travel to Munich to see the world's largest science museum, watch Foucault's pendulum swinging in Paris, ponder a descendant of Newton's apple tree at Trinity College, Cambridge, and more. Each site in The Geek Atlas focuses on discoveries or inventions, and includes information about the people and the science behind them.

GNU Make Unleashed
230 pages of GNU Make from basics to advanced. Covering topics not covered in other GNU Make books such as: eliminating recursive make, doing arithmetic, Makefile debugging techniques and more.

Everything you wanted to know about making real Makefiles.
Search
Enter your search terms

Web www.jgc.org
Submit search form
Previous Posts

* Naming competition: The London 2012 Mascots
* British Computer Society Pioneers vote is easily d...
* Make friends with Porgy
* Talking to Porgy
* Would you pay for this service?
* If you're going to search the web, make an intelli...
* Project Gutenberg shines on the iPad
* Two more NewsTilt stories (and how to follow me th...
* What's going on in this advertising?
* Please stop with the -gate suffix

Powered by Blogger

Subscribe to
Posts [Atom]
Copyright (c) 1999-2010 John Graham-Cumming



- Sent using Google Toolbar"

No comments:

Post a Comment