Bad science: Human computer virus experiment is scaremongering, says Sophos

May 26, 2010 Sophos Press Release

RFID chip

IT security and data protection firm Sophos is pouring cold water on research from the University of Reading, after Dr Mark Gasson, a senior research fellow working at the university's Cybernetic Intelligence Research Group, infected himself with a computer virus by implanting an RFID chip into his hand.

Sophos experts claim that while it is possible to put any software code onto an RFID chip, the code would not be read until an RFID reader came into contact with the affected RFID chip. Furthermore, the software connected with the RFID reader itself would need to have a security vulnerability in order to allow the malicious code to be run.

Nevertheless, Dr Gasson has claimed that in the future that pacemakers and deep brain stimulators could be infected by other devices.

"Scientists should be responsible in how they present their research, rather than hyping up threats in order to get headlines," said Graham Cluley, senior technology consultant at Sophos. "Any virus code on the RFID chip would be utterly incapable of running unless a serious security hole existed in the external device reading it. RFID chips normally just have data read from them, rather than 'executed', so the chances of a virus infection spreading in this fashion is extremely remote. Frankly, I've got more chance of being flattened by a falling grand piano than I have of getting my dog infected by a PC virus next time I take him to the vets."

Sophos notes that staff at the University of Reading have courted the media on many occasions with tales of how they have implanted RFID chips into their bodies.

"The scientists in Reading seem more interested in implanting chips inside themselves rather than their pet cat - but the fact remains that it makes no difference if an RFID chip is injected under your skin or stitched into the lining of your jacket," explained Cluley. "The main progress that appears to have been made from such research is not a contribution to computer security, but a fool-proof method of ensuring that university staff don't forget their office door pass in the morning. Predictions of pacemakers and cochlear implants being hit by virus infections is the very worst kind of scaremongering."

For more information about the experiment please visit Graham Cluley's blog .