Most viruses take advantage of bugs in programs that are too "trusting" of the input the program receives. Viruses take advantage of this trust to exploit these bugs. Programs should never "trust" the data they receive — if all programs that recieve input were paranoid, there would be no way for virus authors to exploit bugs. But many programs make the mistake of being to trusting about their input.
For most computer viruses, the "input" is a specially constructed file that exploits a bug to install a virus (also in the file).
In principal, virus authors could create specially constructed bar codes to infect supermarket computers by exploiting bugs in the bar-code-reading software. Virus writers could do the same thing with magnetic card readers — create a specially constructed magnetic stripe that exploits bugs in the magnetic-stripe-readers.
The risk for "bar code viruses" and "magnetic card viruses" is pretty low (I've never heard of any). The risk is low for two reasons:
- Bar codes don't "store" very much data, so probably the most a virus author could do is crash the computer running the bar-code-reading software. Magnetic stripes can store a bit more data, but the viruses would still have to be very simple. So it's not as tempting of a target for virus writers.
- It's easier for computer owners to control/track the risk. The infection points are the bar code readers and magnetic strip readers, and the opportunity for infection occurs at the scan/swipe. These readers are pretty specialized, and it would be difficult to propagate the virus because it requires a human to actually scan/swipe.
But what about the combination of RFID tags and the RFID readers?
Computers running RFID-reader software are likely to become very widespread. There's talk of putting RFID tags in all the items in a grocery store, then putting an RFID reader in every refrigerator — this would allow your refrigerator to tell you everything that is inside without opening it up. We may see RFID readers in automobiles, check-out lines, hospitals, nearly everywhere.
Furthermore, to get this kind of convenience, the RFID-readers need to reading all the time so that they can read every tag that goes by the reader — if they are not reading all the time, most of the convenience promised by RFID-technology evaporates.
This combination of widespread adoption and continuously accepting input (reading) makes the threats of virus transmission via RFID much, much greater. The only "consolation" is that the data storage of RFID tags is also low, so most viruses would probably be limited to the crash-the-computer variant. Of course, if their are RFID readers in your car, well placed RFID tags scattered over the highway could crash the computers in the cars driving that freeway at rush hour (all theoretical of course).
So what can we do? Mostly start thinking about these risks. Those creating RFID-reading-software will need to start with the mindset that the input can not be trusted, and be more careful with their programming. Hopefully we won't have to learn the lesson the hard way.
[This post inspired by a Mar 15, 2006 Slashdot story. The idea of barcodes and magnetic strip readers inspired by Vo0k's post in response to that article.]