Slashdot Mirror
Hacking the RFID Network
An anonymous reader writes "The world's largest retailers are developing the EPC Network as the infrastructure for a global rollout of item-level RFID. In many ways this 'Internet of Things' resembles the ISBN system or CueCat's codes-to-content. But the network built for tracking consumer goods could also be used for intangible items: airline seats, music tracks or service calls."
http://news.com.com/Japan%20school%20kids%20to%20b e%20tagged%20with%20RFID%20chips/2100-1012_3-52667 00.html
i, for one, welcome our rfid tagged japanese overlords.
for a minute there, i lost myself...
actually that sounds like really poor design on someone's behalf - these things are supposed to become ubiquitous - wait 'till McDonalds starts using them for order tracking and the post office for mail tracking/sorting - they'll run out after a few years
.. Are Japanese school children anyway? (Japan school kids to be tagged with RFID chips) Just wait until a stalker hacks that RFID network!
One line blog. I hear that they're called Twitters now.
My first thoughts were exactly the same. What's to prevent you from building/buying/manufacturing + selling RFID denial-of-service devices? I can see Congress (or the FCC) quickly outlawing such devices, but how hard would it be to build one?
Not only could you drive any Walmart's system into the ground (allowing someone to get away with shoplifting), but you could sabotage someone else, sending them into a no-cameras room for a visit with store security. I confess to some degree of ignorance here, but are there any mechanisms in place in RFID systems to prevent such sabotage/DOS attacks?
One more point--what's to prevent ME from bugging the store and datamining everyone's shopping habits? I imagine an RFID detector would be simple to build, require little power, take little room, be easy to hide by the doors of a store, and would be able to intercept all radio traffic between the RFID tags and store equipment.(/me thinks for a second) Wow, that's kind of scary.
Help find a cure for cancer. Join the [H]orde
Indeed. Does anyone have links to any sources for info on 1: eliminate or deactivate RFID chips in clothing and other itesm other then the old method of microwave which seems to have an adverse reaction to Andrew Jackson's eyball iirc from an earlier /. on this or:
2: how to tweak, hack, redirect, reprogram, re-tune, reset an RFID so that instead of denoting on the bill of lading that this airline seat is Joe Blow on his way to see his mistress in Newark, rather it is 1000 crates of pampers being shipped to the Wally World in Tampa.
- Minutus cantorum, minutus balorum, minutus carborata descendum pantorum.
First the Mexicans, Next US!
... read more here: t ml
"Mexico's attorney general said on Monday he had had a microchip inserted under the skin of one of his arms"
http://www.wired.com/news/print/0,1294,64194,00.h
A friend of mine got into a situation a bit like this and was about to sue someone (she just couldn't figure out who) .... people kept cutting up her credit cards and bank cards, BART (magnetic train) tickets would also stop working etc etc when she explained this to me at the movies once my immediate question was "did she have any magnets in her purse?" ... she pulled out a handfull of refrigerator magnets she'd been carrying around for a while ... which was an end to the issue
If anybody wants to do something constructive, then help "hack" on the open source RFID C library on Savannah.
It's my understanding that a common practice these days is to have microships (which I assume to be RFID tags) injected under the skin of pets, so lost pets can be identified even if they're not wearing collars.
I think a good idea would be to make pet doors that can "learn" to unlock only when certain RFID tags are within 4 or five feet. You could set it for the pets you own, and other pets (and/or other critters) wouldn't be able to get in.
Also, if your pets didn't have the chips implanted, you could just get a chip on a collar.
Alaska Jack
I'll let the philosophers sort out whether the ability to track every object is a good or bad thing. However, I do know that if this system becomes too pervasive without security, this is going to be a big problem in a hurry.
I remember a commercial where a shifty guy walks through a store stuffing things in his jacket, and then walks out of the door to be stopped by security. The guard informs him that he forgot his receipt, hands it to him, and sends him on his way. I'm all for putting checkers out of work, but if such an environment existed, it would also be profitable to spoof the system.
As they are currenly used, I suppose the only profit would be to either disable the tags or somehow make the store think it has already been purchased. That brings me to the next issue. I assume most people have tried to walk out of a store with a purchased tagged item where the checker forgot to take off the tag. It is annoying and embarassing. Imagine if this could happen with every article of clothing that you own because the store database gets screwed up.
I don't practice what I preach because I'm not the kind of person that I'm preaching to.
What would be the easiest way to find and/or destroy an RFID tag? Put your new pullover in the microwave oven for 3 seconds?
Is there any way to destroy such a tag embedded in electronics? Would it be possible to make the tag a vital part of the electronics in such a way that its destruction would lead to immediate equipment failure?
Are the signals easy to spoof?
Geek rants since like... 2000 or something.
Maybe I'm just spoiled being a hardware engineer, but it seems to me that the people who are crying about these RFID tags and privacy are just plain ignorant.
I can tell you it will be trivially easy to build a jammer for them. Maybe a little harder to build an RF source with enough energy to burn out their cute little itty-bitty diodes. And until they get wise and start putting challenge/responce encryption in them, building a box to spoof them would be a weekend project for your average Radio Shack hobbyist.
Will someone please educate them about the technology so they can devote their time to something that really matters? (If they want something to bitch about, they can read my blog for ideas.)
I might just wait until they're manditory in license plates and walk parking lots blowing them all out, (but probably not being a grownup and all.) Perhaps I should have posted as AC just for suggesting it. (Damned Patriot Act bastards.)
I'm not sure about security on the password exchange, but with how little thought seems to have gone into the other "standards", I wouldn't be surprised if it was plaintext.
Hamster
And yet I've known at least 2 people who claim to have had MAC address collisions (without doing things like changing the MAC via ifconfig). So even a manufacturer-doled-out system isn't going to be foolproof.
What might make sense is to reserve a pool that expire every X number of years. Use that for perishables or disposables. Probably would need interim periods between expiration and re-activation.
BTW the cost of putting RFID on mail, at least in the forseeable future, is prohibitive. Not for UPS style packages, but for the standard first class letter the RFID tag manufacturing costs are more than twice the selling price of a stamp. Enough people today have stopped sending postal letters because of the regular increase in the price of stamps, tripling cost (which would be the cost of the stamp today plus the RFID) would hobble the post office.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
Why not? The idea with the ONS is that someone (VeriSign, per the contract that EPCglobal let) will run a fairly small (and replicated by others) root service to say, "If you want to know about EPC=XXXXXX..., you need to look over there," and give a pointer to PepsiCo. At PepsiCo (or some agent of PepsiCo's choosing, say IBM, or GXS, or whomever), there'll be services to further parse the request, and direct it to an appropriate target. PepsiCo could choose to construct a single huge database with entries for every tag (associated with every product) it creates, though it need not... that might be broken up among various bottling units, etc... we need to think of "EPC space" as a vast, federated landcape of services.
The elegance of the EPC is that it parses into parts: a part will say, "This EPC was assigned by PepsiCo," a part will say, "It corresponds to this PepsiCo product," and a (fairly large) part will say, "For this PepsiCo product, this particular EPC represents this specific unit."