Posting in Science
A British researcher implanted a Radio Frequency Identification (RFID) chip into his hand and infected it with a PC virus.
Mark Gasson claimed to be the first human infected with a PC virus.
Others grumbled at his publicity stunt.
Last year, Gasson had a Radio Frequency Identification (RFID) chip implanted into his left hand.
As part of an experiment looking into possible security risks of implants, Gasson purposely infected himself with a "benign" computer virus to show that bionic devices can be ill struck with viruses.
RFID chips are basically tiny computers. The microchips are commonly used to track items for commercial and security reasons, but experts have previously dismissed possible threats — they believed the memory of the RFID chips couldn't support a viral attack.
However, University of Reading's Gasson has demonstrated otherwise.
Normally, the RFID tag puts out a signal that lets only Gasson use his cell phone and access parts of his lab. However, after Gasson's chip was infected, he went into his lab and infected the computers that read his code.
Once the virus was in the main database, it replicated — as viruses do. And so when Gasson's lab mates swiped their card in for entry, their RFID readers picked up the virus. Wow, now that's a major security loophole.
"By infecting my own implant with a computer virus we have demonstrated how advanced these technologies are becoming and also had a glimpse at the problems of tomorrow," Gasson says in a statement.
Now, imagine what would happen if bionic implants such as pacemakers and deep brain stimulator became infected. As more machines make their way into our bodies, PC virus threats should not be ignored.
Understandably, Gasson's experiment evoked strong emotions - the situation exploited a vulnerability in a technology that is seen as science fiction rather than reality.
But Kevin Fu doesn't think this scenario is that far fetched. At the University of Massachusetts, Amherst, Fu also contemplates possible security loopholes with RFID tags.
"To me, it's not fundamentally surprising that malware could spread via an implanted device. A computer is a computer no matter how small, and therefore can serve as both a target and carrier of malicious software," says Fu. "However, the risk could grow quickly if the tiny implants are depended upon in critical computing infrastructure."
In 2006, Melanie Rieback wrote in Is Your Cat Infected with a Computer Virus: "RFID malware is a Pandora's box that has been gathering dust in the corner of our 'smart' warehouses and homes. While the idea of RFID viruses has surely crossed people's minds, the desire to see RFID technology succeed has suppressed any serious consideration of the concept."
Vrije Universiteit's Riback created a self-replicating RFID virus — showing from just one infected RFID tag, databases around the world could be susceptible.
As RFID technology becomes more mainstream, these and other security issues will arise. However, what could possibly go wrong remains pure speculation at this point.
May 27, 2010
"whose internal specs are never leaked..." Really? Just like Microsofts proprietary code and specs never were leaked? Ever heard of reverse enginering? Hackers are just waiting to get started.
The problem will be with configurable devices such as pacemakers, insulin (and other drug) dispensers. The brain stimulation devices mentioned are particularly worrisome. Imagine hacks thinking it would be fun to trigger seizures or patients altering the program to give them a high or simply sending too much current and causing permanent brain damage. Or if you have an imbedded security chip that allows you to update the encryption routines or add multiple "passwords" for various locations and external devices. If the chip contains anyway to allow external access and writing we are going to have to look at protecting it like we do our PCs. No matter how unlikely this issue must be taken seriously before these devices are mainstream.
While in theory it's certainly possibly for any device with a micro to run a virus, I see the possibility to be highly unlikely. Embedded devices such as these are proprietary, closed systems whose internal specs are never leaked. Often they run homebrew OSes, if they can even be called that. While the CIA or other government sponsored agency might have the resources and need to create such a virus (imagine infecting the pacemaker of a hostile foreign leader), it's not something your average hacker would have the resources or incentive to do.
Why are we allowing a device that is only supposed have data to be read upload a program (virus) to another device and then have that device execute this virus code. Someone has got to review how this software / firmware written and is structured that this sort of thing can happen. I just don't see why a If you can only read files or blocks of information from an RFID what is going on that the host reader device is doing to allow other data or programs to be loaded and executed. There is a basic flaw in how these software functions have been written from the start.
The human was not infected, but the implaned computer (RFID). Of couse, if it can communicate, there is a possible infection. Computer security will be one of the most important sciences in the forseeable future, as computers become more and more dominant in our lives.