• PC World
• »Security

Malware on Your Passport?

Danger level: Medium | Likelihood: Low | Target: Most consumers

Could your passport, a pack of razor blades, or even your pet cat carry a computer virus? It may seem farfetched, but recent findings from a trio of Dutch researchers serve to demonstrate the possibility.

RFID (Radio-Frequency Identification) chips are small, inexpensive devices that can be embedded in stickers and in pet ID tags, and soon they'll show up in driver's licenses and U.S. passports. They're used for electronically transmitting information--say, inventory data for shipping pallets, or your passport number--over short distances.

Though highly useful, some implementations of the RFID technology have security weaknesses. For example, the information on some tags can be rewritten, and other tags can be read from an unusually great distance.

In an attempt to exploit some of these weaknesses, the Dutch university researchers conducted a controversial proof-of-concept study using modified RFID tags and a viruslike command to "infect" the back-end database that stored the tag's records. Theoretically, an RFID system could thus be made to crash or run malicious code--a scary prospect for a critical business or government technology.

Numerous computer security experts have pointed out that a reasonably well-built system with effective "middleware" between the RFID reader and the database probably wouldn't be vulnerable to such an assault. And sensitive RFID chips can use encryption and shielding covers to protect against acquiring an unasked-for malicious payload. The planned U.S. passports will use both measures.

Still, the study illustrates a basic point: Nearly every system has exploitable flaws. Keep an eye on your cat.