First Man Infected by a Computer Virus

[CaesMRaenes]

http://news.bbc.co.uk/2/hi/technology/10158517.stm

That's right. You heard me. BBC released an article about the first man to be infected by a computer virus, proving that with new technology in the medicine field comes risk.

I thought that you guys might like to take a look at it so I'm posting it. And I have to tell you: the best comment my friend made was, "If I had to be part computer, I'd want to be a Mac."

[Fluffycrow]

Hmm, that's awfully interesting.

Life is getting closer and closer to science fiction, isn't it?

[boboverlord]

Then we will hear about someone who wears Twilight Bracelet or something like that. lol

[Wintermoon]

That's stupid.

The only way an external control system could be infected by a RFID chip is if the external system is executes arbitrary code from the RFID. The only valid reason for why the external control system should execute arbitrary code from the RFID chip is that it's specifically designed to allow itself to be infected. Designing secure computer systems is not difficult.

[Jake]

The only way an external control system could be infected by a RFID chip is if the external system is executes arbitrary code from the RFID. The only valid reason for why the external control system should execute arbitrary code from the RFID chip is that it's specifically designed to allow itself to be infected. Designing secure computer systems is not difficult.

Yes, that's why there are so few security holes in computer systems.

OH WAIT.

Seriously, at the risk of sounding patronising, you have heard of buffer overruns, right? There have been exploits where seemingly-fine routines to load and display images have been exploited to be able to execute arbitrary code. There's no good reason to treat data as executable code when you're loading an image, but it happens.

Yes, it's possible to defend against these things design-wise and implementation-wise, and it's certainly possible to avoid a lot of problems, but ultimately, people still make mistakes and systems written with the best intentions by excellent programmers still sometimes have holes. Sometimes they use library code that they have every reason to think is fine but turns out to have problems. Sometimes there are unexpected and unknown problems in the hardware. Sometimes they're compromised by unexpected contextual issues. Sometimes people just make mistakes. It's entirely reasonable to think that System X which communicates wirelessly with a wearable device or (once we start implanting people with microchips) an implanted microchip could quite feasibly have some problem in its implementation which allows an exploit, and the more complex we make the communications and the more data they're expected to hand over, the more likely it is that there will be a potential problem.

It's certainly true that I'd be surprised if there were even enough space in a simple 'passive' RFID tag's response to contain seriously malicious code, and I wouldn't be surprised if it's a naively-written reader being exploited, undoubtedly it has a known bug which allows the exploit to happen but is probably fixed in the wild. But that's beside the point; the article describes an allegedly working exploit, so it's apparently quite plausible to do something. And if it's possible to do something, then I wouldn't like to discount being able to do something malicious.



The stupid part of the article is the whole 'human-borne computer virus', the implanting-under-skin part. One presumes that this was done as a publicity stunt rather than as a serious part of the research, because there's no real functional difference between a virus on an RFID chip in a little plastic bag and a virus on an RFID chip under someone's skin, but the serious part of the article - the reminder that every time we come up with a new mode of communication between a computer and other devices, we introduce another potential attack vector - isn't that stupid at all.

[LVUER]

If we are in the era where every human have some kind of cyber transplant/micro chip inside our body (like Ghost in the Shell or something), then this article will scare me. But right now, I don't feel anything at all.

[Wintermoon]

Yes, that's why there are so few security holes in computer systems.

OH WAIT.

Seriously, at the risk of sounding patronising, you have heard of buffer overruns, right? There have been exploits where seemingly-fine routines to load and display images have been exploited to be able to execute arbitrary code. There's no good reason to treat data as executable code when you're loading an image, but it happens.

In order for an RFID chip to infect a control system, you would need all of the following:

• Failure to validate incoming data.
• An actual exploitable bug in the program.
• A system complex enough to allow the bug to stay hidden.
• A programming language that fails to guarantee memory safety.
• No hardware/OS protection against writing to a code segment.
• Hardware that is capable of executing programs in RAM instead of restricting execution to ROM.

Failure on one level may be an acceptable trade-off. Failure on multiple levels is sheer stupidity. Failure on all levels is criminal negligence. Remember, we're talking about embedded systems, not full PCs. (Using a full PC to run the control system, possibly even running Microsoft Windows, is a whole 'nother level of stupidity.)

That said, I know only too well how often something like this happens in the real world. You are giving the people involved far too much credit if you consider them intelligent people who occasionally make an honest mistake.

[Der Tor]

[rioka]

^^^
lol

Anyways, I've heard about this and I'm personally leery about it. Even more so if they start involving nano-technology. <_<

[Spiky Caterpillar]

Yes, that's why there are so few security holes in computer systems.

OH WAIT.

Seriously, at the risk of sounding patronising, you have heard of buffer overruns, right? There have been exploits where seemingly-fine routines to load and display images have been exploited to be able to execute arbitrary code. There's no good reason to treat data as executable code when you're loading an image, but it happens.

In order for an RFID chip to infect a control system, you would need all of the following:

• Failure to validate incoming data.
• An actual exploitable bug in the program.
• A system complex enough to allow the bug to stay hidden.
• A programming language that fails to guarantee memory safety.
• No hardware/OS protection against writing to a code segment.
• Hardware that is capable of executing programs in RAM instead of restricting execution to ROM.

True for buffer overflows (With the possible exception of some cases which rely on pathological code - f'rinstance, if a 'memory-safe' language supports writing to a union member and then I read data out of a *different* union member) - but buffer overflows are not the only form of exploit, merely the best known.

But, in general, all you actually need is an actual exploitable bug (or combination of bugs), failure to validate incoming data (which is probably actually a subset of 'actual exploitable bug' - and if the programmer didn't notice that their function could be exploited, it's quite likely that they also don't know what to do to sanitize the data), writable storage capable of holding the control code, and for someone to have actually deployed the vulnerable system.

OS protection against writing to a code segment isn't going to protect you from an exploit that changes the DATA being fed to a system() or execv() call (or whatever the device's equivalent is). Safety from buffer overflows isn't going to make system(some_chunk_of_user_supplied_data) safe to run. Limitation to only execing stuff in ROM isn't going to make system('/romfs/bin/perl -') safe from malicious input.

[sayuri]

When I first saw this I assumed it was something like an artificial heart that caught a virus. But it was a scanner to access his phone? Umm, lazy much? Though it may be interesting to actually see people become cyborgs in a novel sense, I find that just morally wrong. If we were supposed to have machinery inside us, we'd be born with it .

[Wintermoon]

Yes, calls to system/exec and scripting languages provide their own attack vectors. Which is why you don't use system with user-supplied data, you don't use system at all if you can help it, and ideally you use OS-level protection that prevents your process from using system at all. And you run as a restricted user who doesn't have read/write/execute permissions to any part of the system that your process doesn't need to access.

[J. Datie]

If we were supposed to have machinery inside us, we'd be born with it .

I once saw a baby that born with no skin. Just because something happens naturally doesn't mean there can't be improvements.

[Wintermoon]

If we were supposed to have machinery inside us, we'd be born with it .

The same argument can be made against clothes.

[sayuri]

Well, certainly if there was some sort of birth defect/quality of life issue then I don't abhor technology that would help. I mean, I don't think people with amputated limbs shouldn't have prosthetics. I mean that a healthy person shouldn't implant technology for something so trivial as not having to input a password.

As for clothes... well... I can't really argue with that .