logo
Go to the homepage of the Vrije Universiteit. Go to the homepage of the faculty of sciences.

How to Defend against RFID Malware


RFID software designers can "armor" their systems against RFID Malware by taking the following steps.

General Advice


  • Like other software systems, RFID middleware can benefit from code reviews, which may help find bugs the programmer overlooked

  • Lock down user accounts. Privileges the middleware does not have cannot be abused. The same applies to database accounts.

  • Finally, disable or remove any features that are not required. They only provide further means of attack.


Stopping Database Attacks


To avoid SQL injection, any data that is copied into a SQL statement should be checked and escaped using the functions the database API provides.

Better yet, don't copy data into SQL statements, but use prepared statements and parameter binding. When using parameter binding, the database treats parameters purely as data, which means they will never be interpreted as code. Prepared statements generally allow only a single SQL statement to be prepared per statement handle. This avoids a large number of SQL injection attacks, as it is not possible to start a second query.

Some databases provide features that limit the likelihood of an attack. For example, both Oracle and MySQL allow only a single query to be executed during an API call, though newer versions of MySQL allow the programmer to enable multiple queries.

Another feature that limits the likelihood of attacks is the way GetCurrentQuerys-style functionality is handled. MySQL and PostgreSQL make it practically impossible to abuse this functionality. MySQL has made a separate command for it, which cannot be included in a SQL query. PostgreSQL uses a reporting delay, which makes the behavior too erratic for a virus to spread.


Stopping Web-Based Attacks


Client-side scripting can be prevented by properly escaping data inserted into HTML pages. Web-development languages usually provide functions that can do this for you. PHP can do this automatically for every string using its 'magic quotes'. If the scripting language is not required, disabling it will avoid any chance of it being abused.

SSI injection can also by avoided using proper escaping. Or by disabling SSI.


Stopping Glue-Code Attacks


Buffer overflows can be prevented by properly checking buffer bounds. There are also tools that can do this automatically, such as Valgrind and Electric Fence.

Of course, using a programming language that performs these checks automatically is even better. Java is an example of such a language.


Previous How to Write an RFID Worm
Up RFID Viruses and Worms

Last modified: Thursday, 02 March 2006 21:25, CET
If you spot a mistake, please e-mail the maintainer of this page.
Your browser does not fully support CSS. This may result in visual artifacts.