By Mark Ward
Technology Correspondent, BBC News website
Computer viruses could be about to take a giant leap and start spreading via smart barcodes, warn experts.
The smart tags are being used to streamline supply chains
Security researchers have infected a Radio Frequency ID tag with a computer virus to show how the technology is vulnerable to malicious hackers.
The researchers warn that RFID tags could help mount many different types of attacks on computer systems.
Makers of radio tag systems were urged by the group to introduce safeguards to guard against RFID-borne bugs.
"This is intended as a wake-up call," said Andrew Tanenbaum, one of the researchers in the computer science department at Amsterdam's Free University that did the work revealing the weaknesses on smart tags.
"We ask the RFID industry to design systems that are secure," he said.
RFID tags are essentially smart barcodes that replace the familiar lines with a small amount of computer memory, a tiny processing unit and a radio. Information is downloaded into the tag and read off it via radio.
Many large companies are keen to use the RFID tags because they will help keep track of the goods they are shipping from warehouses out to stores or regional offices. Currently RFID tags are relatively expensive so most are used to log what is in boxes of goods rather than to label individual items.
However, many expect the smart tags to become ubiquitous as the price of making the devices falls.
In their research paper Mr Tanenbaum and his colleagues Melanie Rieback and Bruno Crispo detail how to use RFID tags to spread viruses and subvert corporate databases.
"Everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software and certainly not in a malicious way. Unfortunately, they are wrong," wrote the trio in their research paper.
The researchers showed how to get round the limited computational abilities of the smart tags to use them as an attack vector and corrupt databases holding information about what a company has in storage. To test out the theory the group created a virus for a smart tag that used only 127 characters, uploaded it and watched it in action.
Mikko Hypponen, chief research officer at anti-virus firm F-Secure, said: "RFIDs with embedded computers are suspectible to basically all the same threats any other computers are. Unfortunately."
If viruses do appear in smart tags, said the researchers, they are likely to cause problems for companies that read data off the tags. They speculated that consumer activist groups could use smart tags viruses to cause havoc at stores they are targeting.
In some cases, said the researchers, viruses could be spread by household pets such as cats and dogs that are injected with the tags to help identify their owner.
The researchers urged companies working on RFID systems to start thinking seriously about security measures to protect against future threats.