Slashdot Mirror
RFID More Hackable Than Retailers Think?
Iphtashu Fitz writes "Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH, is warning retailers that the RFID technology that they are quickly adopting can easily be hacked with the appropriate tools. Grunwald has written a program called RFDump which lets you read and display all metadata within an RFID tag and also modify the user data using a text or hex editor. He wrote this program to demonstrate how consumers can protect themselves by wiping out RFID data after purchasing a product but he acknowledges that it would be trivial to abuse this behavior. What, you might ask, can you do if you hack an RFID tag? Well as the technology is adopted more widely a thief could conceivably mark down the price of an expensive piece of jewelry before paying for it at an automated checkout counter, underage hackers could purchase alcohol or adult movies, and pranksters could simply reprogram the inventory of an entire store by just walking up and down the isles. 'The people who will be using this (shopkeepers) don't know much about technology,' Grunwald warned."
Can anyone point out a new technology that was 'safe' when it was first deployed? It seems that every new technology has some security defect, or some other flaw. This reminds me of DirectTV smart cards.
-Daniel
KD5UZZ
www.w5yj.org
and pranksters could simply reprogram the inventory of an entire store by just walking up and down the isles
What quicker way to make life insanely difficult for a retailer who forces the use of these things upon customers.
How much would it cost to re-manualise their systems if they keep on just losing track of the info in their RFID tags. Hw many would even bother after the 2nd time.
Looks good
i dont think anyone could mark down stuff. because the price is not stored in the RFID itself. its a seperate database that matches with the product code. but yeah the thief might be able to change the product code to another cheap product. and thereby acheive the same thing
just my 0.02
Doesnt everything go like this? Im sure they will find a solution to the problem... then a new hack will come out... then a solution will come out...
When barcodes were introduced, retailers feared barcode swappers, because barcodes were not printed on partitioned labels, like those small price labels used to be (If you can remeber when all items were (manually) priced, you are getting old.) It turned out not to be to big a problem (now most barcodes are printed).
However, when you can automate something, that is an differend story. With tag swapping, you can play the percentage game, usually the number of individual swappers is small. With automated swapping (esp. wireless), one individual can swap everything. That is a true risk.
However like the step from label to printon bar code. There is only a small window of opportunity.
In the near future, we will see read-only tags, embedded during the production fase.
-- (:> jms cs.vu.nl (_) --"---
This sorry instance is yet another example of how "technology" can be used by the forces of power to clamp down on the rights of the individual. To wit: RfID tags are used by merchants to infringe on the rights of individuals: tracking the movements of customers, keeping track of their purchasing history, and so forth.
I for one am fed up with this sort of piecemeal erosion of our most sacred freedoms. What I strongly feel is needed is a "technological bill of rights" to curb this sort of abuse.
Strange as it may sound, I do not think that amending the constitution is too absurd a step to take. I think a simply worded amendment similar to the first or second amendments would be the way to go. Something like: "Congress shall make no law using technology to infringe on basic liberty of citizens." Something like that.
Of course, amending the constitution would not stop private merchants from abusing technology such as RFiD tags, but at least it would put a damper on the federal government's actions, as well as send a strong signal as to where we stand, similar to how that amendment that abolished slavery helped pave the way for civil rights. This page has some helpful information as well.
One thing I have always seen as a potential problem is a store's competitors using RFID scanners to take inventory and/or monitor what their competitor's customers are walking out of the store with.
Any data you can get on your competitors is certainly better than none at all.
I have an idea that I've been thinking about for a while.
Some of us choose what to buy on the basis on how well-behaved the producing company is. Nothing new here. Some "bad" companies and their products are easy to indentify: I try to not buy anything from Nestle (breastmilk substitute in Africa), McDonalds (cutting down rainforests), and so on. As you can see from my reasons, they are probably a bit outdated as it can be hard to get good consumer information through the media noise.
Ok, heres the thing: most products these days have an EAN/UCC code. The number in that code includes an identifier for the selling company. What if the Internet community would create a database of companies and start setting grades on them with regards to product quality, environment concern, workforce treatment, and so on?
"But it would be too much of a hassle to query the database each time one buy cerials" you say. Sure, but consider two things:
How do RFID fit into this? Well, imagine a clock that vibrates when you are about to touch some ethically questionable item! :-D
RFIDs have been creating a lot of interest in the industry as it gives them better control over where items are, who buys them, if they return, etc. Now, if consumers could easily boycott a company due to bad quality or unethically behavior, the whole idea could backfire on them!
Concerning expensive RFID tag applications like public tranport prepaid accounts, this could be a problem. More expensive crypto tags solve that problem.
Concerning stores, this is stupid. Retailers don't need expensive reprogrammable tags and don't use them. Cheap tags are just a unique ID number which can't be changed. Any decent retailer saves money on tags and increases security by using cheap tags (no data storage, just a fixed number) and keeping their price and product data in a database keyed to these ID numbers. So talk of walking through Wal-mart and saving money or causing chaos is fantasy.
Conclusion: it is only the medium price (storage but no crypto) tags which are and always have been a risk. The only contribution of this program is raising wider awareness and thus breaking illusory security through obscurity.
It's not that easy. You could still copy the info from one tag to another. Even if all tags contain info encoded with different seeds: When the duplicate "message" arrives at the reader, thereby revealing the breach, the item with the fraudulent tag will long be gone.
The way to fix this is to make the tag only accept new data (or erase commands) when it's signed with the same key as existing data. But crypto hardware is more expensive and power hungry than simple storage, so it may not even be technically feasible to do this right now. When it is feasible, privacy is gone, because the tag could just as well keep hidden copies and only reveal them when queried with another private key.
Who would be silly enough to purchase programmable RFID tags.
In any secure application you don't keep the important info on the portable device! You put it in a secure database where all the security risks are known. The RFID tags should have a non-programmable, non-erasable fixed unique code.
The scaremongering that this thread typifies is both stupid and done to death.
This is total, fear installing crapiola.
As I understand it, RFIDs contain a unique number which is not overwritable.
The tags just identify the product. Backend databases hold the configurable information.
At it's core, it replaces a barcode. And to my knowledge barcodes are not hackable.
Why on earth would a retail store want to decentralise their information by storing data on RFIDs?!
For tagging postal package, that's a different matter. I imagine a courier would write to RFIDs. Sure it's hackable, but only couriers have phyiscal access to it.
Legislation.
We'll just release poorly thought out technology that promises things older tech's can't deliver, but make sure not to put in the press releases that mayhem can ensue from its use. Then when someone discovers this, we'll just see to it that it's illegal to own equipment capable of performing these operations (despite their otherwise legitimate uses), and so we have protected our customers by giving them a false sense of security while sacrificing another tiny bit of essential liberty.
Slay a dragon... over lunch!
The tags do not generally contain data and for the most part are read only in the new systems. The tag only contains an identifier which is used to access the info just like a barcode. Changing the number to another at the checkout would still display the id of the product. You have a watch at the checkout and the till shows a tin of beans.... These systems are not that easy to hack in reality, at least no more so than barcodes. Most people do not change the price tags either out of honesty or fear of being caught. I doubt very much that jewelry stores will ever have self checkout lanes.
"If the King's English was good enough for Jesus, it's good enough for me!" -- "Ma" Ferguson, Governor of Texas (circa
First of all, there are no widely adopted international standards for RFID but there is work on ISO 18000, so it all depends on whether your reader/forger supports a given tag's vendor protocol.
The next problem is that RFID systems can operate at different frequencies, the most common ones are 125KHz - 148KHz, high at 13.56 MHz, UHF 850-915MHz and even at 2.45 GHz in the ISM band.
The tags that will be used in retail at automated checkout counters all have a scheme for preventing tag-collision that occurs when tags respond simultaneously to the reader. In order to hide a $800 digital cam-corder the following would have to happen:
You bring the forger into the store and operate it where it is not in view of the many security cameras staring at you
You research the store for a low price article that matches within tolerance what the cam-corder weighs. What that tolerance is,will be open to your own research. Setting the forger to lowest sensitivity / lowest transmit power you read the RFID data of the low-price article. Make double sure the data you read is from the low-price article and not from one of the thousands of tags surrounding you.
The low-price article may have individual identifying RFID data that must NOT be scanned at the checkout counter, not even after you and maybe your helper have left the store (Remember the security cameras, they could potentially match up your face at the automatic checkout with the article!). Also, again if the RFID data uniquely identifies the article another customer could take it to the automatic checkout and the system could mark the article as already sold in its database meaning you can't purchase it in lieu of the cam-corder. You must disable / destroy the low-price article's RFID tag either physically or with the forger.
You set the forger to the lowest sensitivy / lowest transmit power to read out the RFID data of the cam-corder. Make sure you get the right RFID data because you will be surrounded by tons of RFID tags. (BTW, it may be safer to read out the RFID data of the cam-corder you want one day and maybe have someone else get it the next day, but if you do that then make sure you mark the box some way that you or your helper takes the right cam-corder to the checkout. This may be because each cam-corder may have unique RFID data).
You take the cam-corder to the checkout and flip the forger into forge-mode. The forger monitors the radio communication at the reader forcing the transmission of the low-price article's RFID data utilizing the vendors tag-collision protocol to quiet the cam-corders tag. After transmitting the low-price article RFID data the forger jams the reader making the automatic checkout believe this is the only article being presented for purchase.
Complete the purchase with cash or with credit/debit cards not linked to you.
whatever extra space may be available in the RFID metadata, the store checksums the verified contents and encrypts that with their private key. simple.
I would expect that instead of actually fixing the technology (if possible) adopters and promoters of RFID will start a massive campaign of lobbying for harsh federal laws that make it illegal to possess, create or look at any device that could possibly be used in "hacking" RFIDs. These would include (but are not limited to:
RF detectors
Calculators
pencils
human brain
words
-I'm not the troll you're looking for.
Sig
Appended to the end of comments you post. 120 chars
At least RFID can handle some types of encryption. A encryption key can be kept in the reader and since it doesn't have to be broadcast this isn't necessarily a huge problem. And since RFIDs can be managed automatically if someone really was worried the whole system could check and rewrite each items data once a day or something to make use of a new encryption key.
Some people have already looked in to this, although of course retailers don't pay attention anyway.
Presently here, but not there.
I'm sure they all love their jobs and take them seriously.
You better watch out, there may be dogs about . .
Time to take the tinfoil hat off. The reason why merchants are slavering over RFID is not because they are stroking their evil beards while thinking up ways to trick you into the matrix vats. The biggest reason why RFID is exciting is because it means they can inventory a shelf just by having a guy sweep a scanner across it in a matter of seconds. Hell, they could inventory an entire warehouse in a matter of seconds. They are excited because you can go to the checkout line, swipe your credit card and grab your recipe on the way out without ever having to glance at a human.
Now, could RFID be used to track your movements? Potentially, but so could a camera with facial recognition. RFID chips could simply be implanted with the ability to deactivate once the transaction is complete.
Even taking the worst case scenario, all the evil corporations collaborate to track what you buy and where you go, what do you think they are going to do with that data, send in a corporate death squad to off you? At worst, they are going to take all that data, shove it into a computer, decide what it is you seem to be inclined to buy, and try and sell you stuff some computer algorithm thinks you are likely to want. Annoying if it results in more spam in your mail box? Sure. The end of liberty? Hardly.
Honestly, corporations worry me the least. When I deal with a corporation, it is generally a voluntary transaction. Abercrombie can't put a gun to my head and force me to pay double the price to buy a shirt with their ugly corporate logo smeared across it. If I am dumb enough to buy it, well, I was dumb enough to buy it. If anything gives me pause, it is the government. If I tell the government I don't feel like paying for social security this year because I would rather invest that money myself, they CAN point a gun to my head and tell me that I am mistaken and I in fact DO want to buy social security this year.
If you remap every item in the store, everything everyone buys on that day will be wrong. Narrowing it down to the Black Hat who did it is hard.
If you swap ID's between components, the inventory (which they also take with RFID's, of course) comes out right, and the problem shows up when a pack of gum has the RFID of a $50 item...
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
What is cool about the RFID stuff is that I bet with the right antenna, you could do the reprogramming from the parking lot, and do a whole shelf full (store full?) at once. Suddenly, everything in the store is a 50 cent pack of Wrigley's...
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
...... it's the gestalt of all the little specifics that add up to a general wrongness. RFID tracks the part, thew widget, then you use a store card or cc or cash to buy it. They have cameras as well that go to the mix. Add in location of where you are at with a cellphone, yada yada yada, it isn't any ONE of those things that is wrong, it's ther ability to eventually tie them all in together that's wrong. I don't want a total surveilled/controlled/command and controlled society, which is exactly where this rfid stuff-and everything else- is heading, and make NO mistake, at some time the government is going to insist by law that you have a complex rfid implanted.
Totalitarian regimes don't spring up overnight, they take some time and come at you from many diverse areas, and rfid is definetly one of the areas they are going to use. Here is my original thought again
I am a human, a soverign man, distinct, unique, I am more important than business and government or their convenience. I am NOT their inventory.
The more they can tie "inventory" and "tracking" and "this is now part of the database" to *everything* you do, the closer we come to US human folks as individual soverign humans to be their "inventory".
It's a really large general concept that is made up of all the other smaller bits of data, rfid tracking is just one of them, it is not "the" only part, but I would say it's a pretty important part.
Want to know when it changed in society, where this mindshare paradign to "humans are the inventory, too" shifted? Exactly when we stopped being called "personel" and got turned into "human resources".
Why not just have one of the RFID data fields be a digitally signed MD5 checksum on the entire record? In-store scanners could verify the encrypted checksum then hackers would need the store's private encryption key to modify the checksum field.
Seems the discussion here has been mainly about ripping off the retailer. I think the idea of erasing them after purchase for privacy reasons is far more improtant.
However, another way to look at it is as a cheap way to get tags to use at home. I've got large collections of CDs, videos, and books in my house, and it's always a real pain in the ass trying to find something I haven't used in a couple years. If I'm getting all these RFID tags for free in the products I buy anyway, and I'm able to erase and rewrite them easily, then perhaps I can remove them from the products and redeploy them into my books, CDs, etc, and then use an RFID reader to more easily find things.
Sure, it would be a long-term project to get everything tagged and inventoried, but so what? I'd be able to easily find things I'd already tagged, and if I have to search for something that wasn't tagged, it would be easy enough to tag it once I find it.
There is no reason to put an FRID into the cans going into Drink Machines. They serve no purpose that isn't already covered by tried and true technology.
They can serve some new purposes, allowing future drink machines to be designed differently.
RFID-enabled machines can have smaller granularity of product choices. Suppose machines hold 320 drinks. If it's split into 8 columns, you can only put 8 different things in there, limiting marketing opportunities. (Can't have 5 kinds of expensive, rarely purchased fruit drink in addition to the 4 columns of high-volume cola that sells out in a day)
If it's assured that all cans will carry RFID, then the machine no longer must be build with separate columns for separate drinks. Dozens of different choices can all sit in one big holding area, which the machine searches through to match any customer choice. This increases the ability to load it with a maximally-profitable selection.
Great. Now a legal, useful, and important use of technology
He wrote this program to demonstrate how consumers can protect themselves by wiping out RFID data after purchasing a product
is likely to be outlawed because of fear of abuses. Not unlike P2P. I predict much FUD coming about this technology from the RFID peddlers, as well as cries for Congress/FTC/FCC to "do something about it!"
Global warming is neither science, nor politics. It is a religion.