A group of European computer researchers has demonstrated that it is possible to insert a software virus into radio frequency identification tags, part of a microchip-based tracking technology in growing use in commercial and security applications.
In a paper to be presented yesterday at an academic computing conference in Pisa, Italy, the researchers plan to demonstrate how it is possible to infect a tiny portion of memory in the chips that is frequently large enough to hold only 128 characters of information.
Until now, most security experts have discounted the possibility of using such tags, known as RFID chips, to spread a computer virus because of the tiny amount of memory on the chips. The tracking systems are intended to improve the accuracy and lower the cost of tracking goods. Radio tags have even been injected into pets and livestock for identification.
In the researchers' paper, "Is Your Cat Infected With a Computer Virus?" the group, affiliated with the computer science department at Vrije Universiteit in Amsterdam, also describes how the vulnerability could be used to undermine a variety of tracking systems.
The group, led by Andrew Tanenbaum, a US computer scientist, was to make the presentation at the annual Pervasive Computing and Communications Conference sponsored by the Institute of Electrical and Electronic Engineers.
"We have not found specific flaws" in the commercial RFID software, Tanenbaum said, but "experience shows that software written by large companies has errors in it."
The researchers have posted their paper and related materials on security issues related to RFID systems at www.rfidvirus.org.
The researchers said that inside information would be required in many cases to plant a hostile program.
But they asserted that the commercial software developed for RFID applications had the same potential vulnerabilities that have been exploited by viruses and other malicious software, or malware, in the rest of the computer industry.