Sophos calls for calm over "RFID viruses"

March 16, 2006 Sophos Press Release

Cadbury the cat
RFID chips are often implanted in pet cats.

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have advised users not to panic following media reports of a virus which infects RFID tags*.

A paper entitled "Is your cat infected with a computer virus?", written by a group from the University of Amsterdam, has theorized that it is possible for an RFID tag to carry a virus and, in exceptional circumstances, to spread via vulnerable RFID readers and middleware.

The semi-academic paper is full of assumptions that have to be realized before it is possible to create a virus that will use RFID tags to spread. It is worth mentioning that the virus code described in the paper works only on the environment constructed specially for the purpose by the authors of the paper and that there are no known vulnerabiltities like that in any real RFID middleware system.

"The researchers who wrote this paper failed to find a vulnerability in the RFID system for their virus to exploit. So they had to deliberately build a system with a problem for their virus to try and use to spread," said Graham Cluley, senior technology consultant for Sophos. "Any data storage device can carry virus code , but it doesn't necessarily mean that the virus would be able to spread successfully. In this instance, the researchers failed to show how an RFID virus could spread in the real world."

Sophos believes that businesses should focus on the real risks, rather than be diverted by hype. Organized criminal gangs behind virus and Trojan horse attacks are concentrating their financially motivated malware on the Windows platform.

"The sky is not falling, and no-one should be diverted from the important task of dealing with the very real risks posed by conventional viruses. Windows desktops and servers are the main battleground for viruses right now, not the aisles of the supermarket or at the vets when you get your pet cat chipped," continued Cluley.

* RFID tags are small chips that can carry a small amount of data, in order to replace barcodes often used in supermarkets and warehouses.