Dr. Mark Gasson of the University of Reading in England shows the BBC that the storage space on his RFID implant could be used to house a specially crafted “virus” which could “infect” other systems. Technically this would be classified as a worm, not a virus, however the bottom line is quite simply this is not an infection of any type so much as it is a carefully crafted proof of concept.
The reality is, RFID applications developers need to treat any input coming from outside the confines of their own code as hostile. Just as web developers now validate and scrub user input from query-string lines, form posts, etc. to protect against things like XSS and SQL injection, RFID developers need to validate and scrub the contents of RFID tag memory the same way.
Even though what Mark is claiming isn’t, in reality, a serious concern for any RFID systems developer with half an eye on security best practices, he does bring a much needed spotlight to the world of interactive medical implants. Interactive meaning they are controlled through wireless data technologies similar to active RFID, wifi networks, bluetooth, etc. and serious attention needs to be paid to those devices and the way their interactive data protocols are designed and secured. If the only way to get serious attention on that subject is to claim you are the first person to be infected by a computer virus, then so be it.
I respect the fact he’s bringing light to that issue, and I’m really hoping to meet him at ISTAS 2010!