Spent some time reviewing work that Andrew Tanenbaum’s group is doing at the Vrije University in Amsterdam on the security of RFID systems (See the paper here.) Essentially what they have found is that if RFID systems don’t properly handle the data they receive when RFID tags are activated then those systems can be attacked by "malicious" RFID tags. This is certainly a clever course of inquiry, but my reaction reading through this research was "Well, duh."
This is essentially a re-statement of the requirement to validate inputs that cross trust boundaries. RFID tag data certainly crosses a trust boundary as it is brought into the RFID middleware systems – so why wouldn’t it be subject to validation?
Developers first learned this lesson the hard way when building network daemons and running into buffer overflows. Then they learned it again developing web applications when running into SQL injection and cross-site scripting problems. Then they learned it again when developing web services. And AJAX applications. And so on. Now developers building RFID systems will get to learn this lesson all over again. Where does it all end?
Perhaps if every software developer taped a card to their monitor that said "Could this input be malicious? If so, validate it." the world would be a much safer place.
dan _at_ denimgroup.com