Researchers have discovered a way to infect RFID tags with a computer worm, raising the disturbing prospect that products, ID cards, and even pets could be used to spread malicious code. RFID tags provides a simple and efficient method of short-range identification and are increasingly being used to track products, make automatic payments and control access to buildings and public transport. They can be implanted into pets, cattle, and even humans for identification purposes. But researchers from Vrije Universiteit in Amsterdam, led by Andrew Tanenbaum, have found that RFID tags can also be used to spread dangerous computer code. They demonstrated techniques for creating malicious tags at the Fourth Annual IEEE International Conference on Pervasive Computing and Communications in Pisa, Italy, on Tuesday. RFID tags are already viewed with some suspicion by privacy groups because they offer a way to increase surveillance of individuals. But, until now, it has been assumed they are unsuitable for spreading computer worms or viruses because each tag has a limited memory, typically less than 1024 bits. The Vrije Universiteit team found that compact malicious code could be written to RFID tags after all. By replacing a tag's normal identification code with a carefully written message, the researchers found they could exploit bugs in a computer connected to an RFID reader. This made it possible to spread a self-replicating computer worm capable of infecting other compatible, and rewritable, RFID tags. "It's a very interesting idea," says Burt Kaliski, vice president of research at US company RSA Security. "RFID introduces data into a system, and if that system's data processing is not properly designed then many types of attack may be possible." But Kaliski also notes that simple RFID tags, which cannot be overwritten, should be far more difficult to exploit. Roughly the size of a grain of rice, an RFID tag contains a miniaturised computer chip and radio transmitter capable of sending a unique identification code over a short distance to a receiver and a connected computer. The tags are powered inductively, by the signal from the external reading device, which means they can operate indefinitely without a battery. A tag infected with a worm and attached, for example, to a piece of luggage could rapidly infect other luggage in an airport, the Dutch researchers say. "On arrival at other airports, these cases will be scanned again and within 24 hours, hundreds of airports throughout the world could be infected," they said in a statement issued by the university. The Dutch researchers add that a malicious RFID tags could also bypass physical security measures by fooling a computer into thinking it has just received a different identification code. In the hypothetical airport example, this would provide "the perfect solution for smugglers and terrorists wanting to send suspicious luggage across the world without being noticed," they add. [New Scientist]