RFID More Hackable Than Retailers Think?

Iphtashu Fitz writes "Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH, is warning retailers that the RFID technology that they are quickly adopting can easily be hacked with the appropriate tools. Grunwald has written a program called RFDump which lets you read and display all metadata within an RFID tag and also modify the user data using a text or hex editor. He wrote this program to demonstrate how consumers can protect themselves by wiping out RFID data after purchasing a product but he acknowledges that it would be trivial to abuse this behavior. What, you might ask, can you do if you hack an RFID tag? Well as the technology is adopted more widely a thief could conceivably mark down the price of an expensive piece of jewelry before paying for it at an automated checkout counter, underage hackers could purchase alcohol or adult movies, and pranksters could simply reprogram the inventory of an entire store by just walking up and down the isles. 'The people who will be using this (shopkeepers) don't know much about technology,' Grunwald warned."

No Tech is safe

[KD5UZZ]

Can anyone point out a new technology that was 'safe' when it was first deployed? It seems that every new technology has some security defect, or some other flaw. This reminds me of DirectTV smart cards.

Re:No Tech is safe

[Muad'Dave]

...not every can of coke needs a different tag.

It depends on what you're trying to accomplish. If you're attempting to take inventory by using RFID tags, having a product ID and serial number in the tag is a good thing. You can wave the reader around a shelf and know how many cans of Coke you have in six packs, 12 packs, 20 oz, etc (each different form factor would have a unique product ID).

Similarly, a drink machine could contain a reader coil around the inside of the refrigerated box that could poll the contents of the machine and set prices accordingly (today I have 20oz Coke bottles - they're $1. The Red Bulls are $2, etc). The machine could also 'call home' when a particular item runs low. There are lots of reasons to have unique IDs on otherwise identical products.

Re:No Tech is safe

[dnoyeb]

Yes rubbish.

Its a TAG which contains METAdata, not data.

It does not contain item prices or consumer behavior. Its an ID for crying out loud. the actual ID number is fixed and not changeable. Plus most have a crypto mode, which can be locked on permanantly. Once locked, the data can still be changed, but you need the special key and whatnot, which means you need to break the encryption. Its not trivial.

The space on the tag is used for identification purposes ONLY. The tracking is done by a database elsewhere.

We be tagging whales and wild animals for years, but you dont put the info in the tag, you put it in a database, duh.

Reprogramming

[Amiga+Lover]

and pranksters could simply reprogram the inventory of an entire store by just walking up and down the isles

What quicker way to make life insanely difficult for a retailer who forces the use of these things upon customers.

How much would it cost to re-manualise their systems if they keep on just losing track of the info in their RFID tags. Hw many would even bother after the 2nd time.

Looks good

Its easy

[kunjan1029]

i dont think anyone could mark down stuff. because the price is not stored in the RFID itself. its a seperate database that matches with the product code. but yeah the thief might be able to change the product code to another cheap product. and thereby acheive the same thing

just my 0.02

Re:Its easy

[rokzy]

no, that is NOT the same thing.

if the description doesn't fit the checkout assistant won't allow the sale.

if you use an automated checkout, then why bother even changing it? you won't have the correct item on your receipt so no proof of purchase if stopped by security.

all it would allow is you to claim someone else did it if you get caught. but if you have the RFID writer on you that won't work. you'll have to get rid of it but with security cameras everywhere that won't necessarily work.

Re:Its easy

[Asic+Eng]

all it would allow is you to claim someone else did it if you get caught. but if you have the RFID writer on you that won't work.

So you have an accomplice do the remarking, he walks out after purchasing a chocolate bar, then it's your turn with the expensive stuff. Or you just go into the store twice, once with the RFID writer, and once to collect the stuff.

Barcodes are unsafe too.

[JanMark]

When barcodes were introduced, retailers feared barcode swappers, because barcodes were not printed on partitioned labels, like those small price labels used to be (If you can remeber when all items were (manually) priced, you are getting old.) It turned out not to be to big a problem (now most barcodes are printed).

However, when you can automate something, that is an differend story. With tag swapping, you can play the percentage game, usually the number of individual swappers is small. With automated swapping (esp. wireless), one individual can swap everything. That is a true risk.

However like the step from label to printon bar code. There is only a small window of opportunity.
In the near future, we will see read-only tags, embedded during the production fase.

Competitors

[detritus.]

One thing I have always seen as a potential problem is a store's competitors using RFID scanners to take inventory and/or monitor what their competitor's customers are walking out of the store with.
Any data you can get on your competitors is certainly better than none at all.

Using EAN and RFID to shop ethically

[zyche]

I have an idea that I've been thinking about for a while.

Some of us choose what to buy on the basis on how well-behaved the producing company is. Nothing new here. Some "bad" companies and their products are easy to indentify: I try to not buy anything from Nestle (breastmilk substitute in Africa), McDonalds (cutting down rainforests), and so on. As you can see from my reasons, they are probably a bit outdated as it can be hard to get good consumer information through the media noise.

Ok, heres the thing: most products these days have an EAN/UCC code. The number in that code includes an identifier for the selling company. What if the Internet community would create a database of companies and start setting grades on them with regards to product quality, environment concern, workforce treatment, and so on?

"But it would be too much of a hassle to query the database each time one buy cerials" you say. Sure, but consider two things:

• Most mobilephones today (and certainly more in the future) have a builtin camera. Use that to photograph the EAN code, run a picture recognition program (in the phone ofcourse) and either compare to a snapshot database in the phone or check the online database directly!
• You will quickly learn to avoid certain brands, and also educate people in your surrondings (friends, relative, etc).

How do RFID fit into this? Well, imagine a clock that vibrates when you are about to touch some ethically questionable item! :-D

RFIDs have been creating a lot of interest in the industry as it gives them better control over where items are, who buys them, if they return, etc. Now, if consumers could easily boycott a company due to bad quality or unethically behavior, the whole idea could backfire on them!

Non-issue for store tags

[paulikoira]

Concerning expensive RFID tag applications like public tranport prepaid accounts, this could be a problem. More expensive crypto tags solve that problem.

Concerning stores, this is stupid. Retailers don't need expensive reprogrammable tags and don't use them. Cheap tags are just a unique ID number which can't be changed. Any decent retailer saves money on tags and increases security by using cheap tags (no data storage, just a fixed number) and keeping their price and product data in a database keyed to these ID numbers. So talk of walking through Wal-mart and saving money or causing chaos is fantasy.

Conclusion: it is only the medium price (storage but no crypto) tags which are and always have been a risk. The only contribution of this program is raising wider awareness and thus breaking illusory security through obscurity.

The solution:

[nahdude812]

Legislation.

We'll just release poorly thought out technology that promises things older tech's can't deliver, but make sure not to put in the press releases that mayhem can ensue from its use. Then when someone discovers this, we'll just see to it that it's illegal to own equipment capable of performing these operations (despite their otherwise legitimate uses), and so we have protected our customers by giving them a false sense of security while sacrificing another tiny bit of essential liberty.

RFID Tags

[butlerdi]

The tags do not generally contain data and for the most part are read only in the new systems. The tag only contains an identifier which is used to access the info just like a barcode. Changing the number to another at the checkout would still display the id of the product. You have a watch at the checkout and the till shows a tin of beans.... These systems are not that easy to hack in reality, at least no more so than barcodes. Most people do not change the price tags either out of honesty or fear of being caught. I doubt very much that jewelry stores will ever have self checkout lanes.

Re:W-O-R-M

[gd23ka]

This question deserves both: to be modded up and an answer.

First of all, there are no widely adopted international standards for RFID but there is work on ISO 18000, so it all depends on whether your reader/forger supports a given tag's vendor protocol.

The next problem is that RFID systems can operate at different frequencies, the most common ones are 125KHz - 148KHz, high at 13.56 MHz, UHF 850-915MHz and even at 2.45 GHz in the ISM band.

The tags that will be used in retail at automated checkout counters all have a scheme for preventing tag-collision that occurs when tags respond simultaneously to the reader. In order to hide a $800 digital cam-corder the following would have to happen:

You bring the forger into the store and operate it where it is not in view of the many security cameras staring at you

You research the store for a low price article that matches within tolerance what the cam-corder weighs. What that tolerance is,will be open to your own research. Setting the forger to lowest sensitivity / lowest transmit power you read the RFID data of the low-price article. Make double sure the data you read is from the low-price article and not from one of the thousands of tags surrounding you.

The low-price article may have individual identifying RFID data that must NOT be scanned at the checkout counter, not even after you and maybe your helper have left the store (Remember the security cameras, they could potentially match up your face at the automatic checkout with the article!). Also, again if the RFID data uniquely identifies the article another customer could take it to the automatic checkout and the system could mark the article as already sold in its database meaning you can't purchase it in lieu of the cam-corder. You must disable / destroy the low-price article's RFID tag either physically or with the forger.

You set the forger to the lowest sensitivy / lowest transmit power to read out the RFID data of the cam-corder. Make sure you get the right RFID data because you will be surrounded by tons of RFID tags. (BTW, it may be safer to read out the RFID data of the cam-corder you want one day and maybe have someone else get it the next day, but if you do that then make sure you mark the box some way that you or your helper takes the right cam-corder to the checkout. This may be because each cam-corder may have unique RFID data).

You take the cam-corder to the checkout and flip the forger into forge-mode. The forger monitors the radio communication at the reader forcing the transmission of the low-price article's RFID data utilizing the vendors tag-collision protocol to quiet the cam-corders tag. After transmitting the low-price article RFID data the forger jams the reader making the automatic checkout believe this is the only article being presented for purchase.

Complete the purchase with cash or with credit/debit cards not linked to you.

Tin Foil Hats Keeps The RFID away

[Shihar]

Time to take the tinfoil hat off. The reason why merchants are slavering over RFID is not because they are stroking their evil beards while thinking up ways to trick you into the matrix vats. The biggest reason why RFID is exciting is because it means they can inventory a shelf just by having a guy sweep a scanner across it in a matter of seconds. Hell, they could inventory an entire warehouse in a matter of seconds. They are excited because you can go to the checkout line, swipe your credit card and grab your recipe on the way out without ever having to glance at a human.

Now, could RFID be used to track your movements? Potentially, but so could a camera with facial recognition. RFID chips could simply be implanted with the ability to deactivate once the transaction is complete.

Even taking the worst case scenario, all the evil corporations collaborate to track what you buy and where you go, what do you think they are going to do with that data, send in a corporate death squad to off you? At worst, they are going to take all that data, shove it into a computer, decide what it is you seem to be inclined to buy, and try and sell you stuff some computer algorithm thinks you are likely to want. Annoying if it results in more spam in your mail box? Sure. The end of liberty? Hardly.

Honestly, corporations worry me the least. When I deal with a corporation, it is generally a voluntary transaction. Abercrombie can't put a gun to my head and force me to pay double the price to buy a shirt with their ugly corporate logo smeared across it. If I am dumb enough to buy it, well, I was dumb enough to buy it. If anything gives me pause, it is the government. If I tell the government I don't feel like paying for social security this year because I would rather invest that money myself, they CAN point a gun to my head and tell me that I am mistaken and I in fact DO want to buy social security this year.