Denim Group has been acquired by Coalfire. Learn More>>

RFID Systems Developers – Beware!

Spent some time reviewing work that Andrew Tanenbaum’s group is doing at the Vrije University in Amsterdam on the security of RFID systems (See the paper here.)  Essentially what they have found is that if RFID systems don’t properly handle the data they receive when RFID tags are activated then those systems can be attacked by "malicious" RFID tags.  This is certainly a clever course of inquiry, but my reaction reading through this research was "Well, duh."

This is essentially a re-statement of the requirement to validate inputs that cross trust boundaries.  RFID tag data certainly crosses a trust boundary as it is brought into the RFID middleware systems – so why wouldn’t it be subject to validation?

Developers first learned this lesson the hard way when building  network daemons and running into buffer overflows.  Then they learned it again developing web applications when running into SQL injection and cross-site scripting problems.  Then they learned it again when developing web services.  And AJAX applications.  And so on.  Now developers building RFID systems will get to learn this lesson all over again.  Where does it all end?

Perhaps if every software developer taped a card to their monitor that said "Could this input be malicious?  If so, validate it." the world would be a much safer place.

dan _at_

About Dan Cornell

Dan Cornell Web Resolution

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *