Slashdot Mirror
RFID More Hackable Than Retailers Think?
Iphtashu Fitz writes "Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH, is warning retailers that the RFID technology that they are quickly adopting can easily be hacked with the appropriate tools. Grunwald has written a program called RFDump which lets you read and display all metadata within an RFID tag and also modify the user data using a text or hex editor. He wrote this program to demonstrate how consumers can protect themselves by wiping out RFID data after purchasing a product but he acknowledges that it would be trivial to abuse this behavior. What, you might ask, can you do if you hack an RFID tag? Well as the technology is adopted more widely a thief could conceivably mark down the price of an expensive piece of jewelry before paying for it at an automated checkout counter, underage hackers could purchase alcohol or adult movies, and pranksters could simply reprogram the inventory of an entire store by just walking up and down the isles. 'The people who will be using this (shopkeepers) don't know much about technology,' Grunwald warned."
i have seen pranksters swap prices tags on items many times before (no special equipment needed). The only more or less robust system seems barcodes...
When will I end this grieving ? When will my future begin ?
They don't do the price, they do a product code. The product code is read in at the checkout counter and compared to the database to get the price. same with barcodes currently being used.
In addition each rfid has a unique number, which cannot be changed. If the store wanted to they could record thoses individual numbers instead of the product code and that would solve the problem. However that would be a major problem, since instead of having a single product code for 1000 items you now have to store thoses 1000 item in the database.
In order to write data to the tag you needed to know a 64bit number that was programmed into the tag. The standard didn't say how you set that number; that was policy reserved to the tag programmer. But in order to have a write command accepted, you needed to match the previously programmed number.
So if commercially deployed tags really are generally writeable it is more of an administration problem (like leaving telnet enabled on public facing servers) than a failure to consider the problem at all.
"Oh, yeah, we have it."
I get there, and it turned out they didn't have it. They had an AC Adapter.
A clerk who cannot tell the difference between something that lets you go on the internet and something that plugs into the electric socket will be easily fooled by the RFID swap. Even if someone DOES check your bag, do you think "Joe Walmart" is really going to be acute enough in his observation to recognize that you've got the high end ATI card, and not the 9600? Doubtful.
It'll be great to watch Wal-Mart reap the fruit of the seed they've sown - lost merchandise, lost profits, etc. And it's quite fitting that this really has nothing to do with RFID, but their unwillingness to go the extra mile to spend a few more bucks to get employees who know what they are doing.
FeliCa chips are already in SuiCa cards which have been used for paying train toll fees for awhile now. RFID is also already used in the US - EZPass for automatically paying highway tolls in the New England area, I-Pass for Illinois, and Im sure other states have similar technologies that are the same. Unlike disposable RFIDs on grocery items, FeliCa chips are more expensive, so it can use more secure technology such as encryption.
There's no sane reason why RFID should have a feature added that would allow wireless re-writes. It costs more and it only adds a security issue. RFDump doesn't overwrite data stored in any RFID. It's just a spreadsheet program, and of course it can modify the data in the spreadsheet cells, but it's not changing the data stored in the original source! Note that on RFDump's webpage itself, they claim that it only works with RFID READERS - that is, it can't MODIFY the source RFID data. RFDump can import RFID data to a computer, and change the RFID data within the computer's memory - no RFID chip modified! RFDump can't do that. But apparently it's good enough for creating a hyped up CNet article. I think CNet is only covering RFID obsessively because it's a buzzword and it can bring in alot of eyeballs to their website - that's why they like to write so many super-exaggerated RFID articles.
It's simple. instead of using the expensive reprogrammable rfid tags you use the cheaper PROM rfid tags.
you set them once and they stay that way forever.
The story is nothing but high brow FUD.
not all RFID tags are the rewriteable type. most are the single write read many variety. and nothing is to stop a manufacturer like coke from ordering their rfid tags preprogrammed. not every can of coke needs a different tag. (just like hoe they dont have different barcodes on them.
Do not look at laser with remaining good eye.
(If you can remeber when all items were (manually) priced, you are getting old.)
here in michigan it's a LAW that all items must be priced. so I see price stickers on every item in the store every single day I go to one... they are manually priced by some 15 year old kid that hate's his job.
Do not look at laser with remaining good eye.
From what the submitter had mentioned, he thought it would be possible to reprogram RFID tags to use to cheat a SCO...I'm not really sure about how the RFID stuff works, so I can't really say much about that, however, I do know a bit about the SCO's.
Some SCO's (namly those by ACM/IBM) have a secondary server that handle the interactions with the cash register controllers (sometimes called the BOSS server). They have a 'security profile' that lets a SCO learn pieces of information about an item (dimensions, weight, that kinda thing) and if the item doesn't match a security profile, it'll kick it back, until a cashier scans their card to get it to learn the item.
Other SCO's use a weight-based system. I'm not totally sure if the scales weigh all items and go from item to item specifically, or from item to item just to see if the item's been placed in the 'bagging' area (if not a pass around item).
A properly set-up SCO won't allow things like this anyway. Really, nothing more than barcode switching.
I disable sigs...do you?
The inside of soda machines are all segregated columns filled with the various sugar drinks. Each column contains a seperated type of drink, although a few columns could contain the same drink, that's just an matter of local preferences.
Since each column is limited to one type of drink the machine can easy test how many of each brand are left and notify 'home' that they are running low. Which won't necesarily mean it will be filled quicker, it just means they know exactly what to bring to the machine. Distributors don't often change their routes since it allows them to send drivers out less often, servicing more machines without having to go back and forth all that often.
There is no reason to put an FRID into the cans going into Drink Machines. They serve no purpose that isn't already covered by tried and true technology.
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
13.56MHz is the top edge of a radioastronomy allocation (13.41-13.56); it is "Long Wave" and well below: the 27MHz CB band, the 54-72 MHz broadcast TV channels 2-4, the 76-88 MHz broadcast TV channels 5-6, the 88-108 MHz FM broadcast band, the 174-216 MHz broadcast TV channels 7-13 . . .
If you plan to generate enough RF at that frequency to "burn that baby", the power supply you tow behind you will give you away - moreover, any significant RF power in that range calls for -gasp- TUBES - say a pair of 6LQ6 in push-pull - but that is still way below their normal operating range ~18-30 MHz.
Also, the core flaw in this scheme (at any frequency) is that pesky (and easily detected) RFI you generate while walking around the store.
Operation of an unregulated transmitter, for a frequency you don't have a license to operate at is a federal crime (think FCC and pirate radio stations); also consider how your plan might effect legit radio/ranging (crashing aircraft on approach is discouraged) or, assuming that you actually find a way to beam microwaves (requires a waveguide) you might just cook bio-matter (the baby's corneas in the next isle or your fingers).
Once any sophisticated reprogrammer is available, you can be certain you will be treated EXACTLY the same way as people who print their own money: counterfeiters go to jail for a long time.
These things are teeny tiny and could easily be placed in the stitching of a T-shirt where you couldn't find it. The smalest ones i know of are as small as a grain of rice.
Here in Massachusetts, I've seen self checkouts in the following locations:
BJ's Wholesale
Home Despot
Shaw's or Stop & Shop (Grocery)
All of these have their pro's and cons.
Of all the one's I've used, I like the BJ's ones the best. The only con I've seen with them is that intervention is needed for really heavy and really light items.
The Home Despot ones are fine, provided you are buying small items. Attempting to self checkout 60lb bags of quickcrete or a dozen 2x4's would probably cause you problems.
I've found the Shaw's ones to be utterly infuriating at times. I think this maybe because I'm an atypical American who actually eats lots of fruits and vegetables. Anything with a bar code goes through fine, the problem is when you put a bunch of grapes up on the scale and then have to either enter the code that's on the grapes or go through a list of produce and choose it. Needless to say, I go out of my way to find produce that has codes on them... Trying to sort through a list of produce and choose the right one sucks. Especially if your like me and you really don't pay too much attention to the actual name of the produce, I just look at a cart of apples, look at the price, and if I like the price and they look good I'll pick a couple up. Then I get to the check out and I'm presented with a dozen different varieties of apples to choose from. I do think that maybe my bitching has paid off a bit in that now they at least show a picture of what you've chosen. Still though, if a store is carrying 4 varieties of green apples it isn't going to help much.
Yes Francis, the world has gone crazy.
I've been pondering the security implications of this stuff lately.
Most of the places I've worked over the past few years use RFID based access controls.
If I scanned someone's security badge with my wrist watch, then went home and programmed another RFID to match it, I would get access to controlled areas...
O=='=++
Anyone who frequents Laser Quest (a laser tag arena) knows that they use Maxim/Dallas Semiconductor iButton devices to activate the "blaster" with your callsign and to keep track of statistics. The problem with this is that anybody with a knowledge of microcontrollers and some basic hardware skills (such as, ahem... moi) can rig up a simple unit to read and write to them (using a serial protocol called 1Wire). While this might not seem particularly relevant to the topic, it demonstrates the same concept, which is that if you make widespread use of a low-cost technology that nerds have free access to, it's only a matter of time until one of them starts to get curious. And then you're screwed. ;)
Barcodes are scanned only where and when you buy something. But RFIDs can be read without your knowledge by anyone with a suitable scanner.