Slashdot Mirror

← Back to Stories (view on slashdot.org)

RFID More Hackable Than Retailers Think?

Posted by simoniker on from the one-cent-big-screen-TV dept.

Iphtashu Fitz writes "Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH, is warning retailers that the RFID technology that they are quickly adopting can easily be hacked with the appropriate tools. Grunwald has written a program called RFDump which lets you read and display all metadata within an RFID tag and also modify the user data using a text or hex editor. He wrote this program to demonstrate how consumers can protect themselves by wiping out RFID data after purchasing a product but he acknowledges that it would be trivial to abuse this behavior. What, you might ask, can you do if you hack an RFID tag? Well as the technology is adopted more widely a thief could conceivably mark down the price of an expensive piece of jewelry before paying for it at an automated checkout counter, underage hackers could purchase alcohol or adult movies, and pranksters could simply reprogram the inventory of an entire store by just walking up and down the isles. 'The people who will be using this (shopkeepers) don't know much about technology,' Grunwald warned."

20 of 411 comments (clear)

  1. Japanese already using RFID in cellphones by timecop · · Score: 1, Interesting

    Their FeLiCa technology is integrated into NTT DoCoMo 506i (and I think some 900i) models. They are planning to use these for shopping, ticket purchases, etc, as "electronic cash". Having seen the SDK for FeLiCa it seems it would be trivial for a programmer to write a utility similar to RFDump to edit/delete/modify data stored on the RFID chip inside the phone.

    1. Re:Japanese already using RFID in cellphones by Halo- · · Score: 2, Interesting
      There's no sane reason why RFID should have a feature added that would allow wireless re-writes. It costs more and it only adds a security issue.

      While I agree with you for certain bits of data, I think you are over-generalizing. Data like item identifiers used to say "this is a 12-pack of Pepsi" should be static. But other bits of data, like the date the item was last inventoried, and the ID of the employee who performed the inventory would be valuable rewritable fields. Sure, some jackass could come in an overwrite all the inventory fields with "RFID iz teh suckz", but the same jackass could take down those inventory stickers you sometime see, or peel off all the barcodes.

      I don't like the idea of RFID being used to track consumer purchasing, but I can certianly see it's appeal.

  2. W-O-R-M by usefool · · Score: 4, Interesting

    Is it possible to make RFID write once read many? So the product info is in the tag, and price/special/discount is cross-referenced with a database.

    Is there any advantage for embedding prices in the tag?

    --
    Uselessful technology (Air-Charged
    1. Re:W-O-R-M by Jesrad · · Score: 4, Interesting

      Would it be possible to overlay a forged signal when the tag is interrogated, if I'm standing close enough from the reader ?

      --
      Maybe we deserve this world ?
  3. Crypto? by sk6307 · · Score: 4, Interesting

    Why not simply store only a cryptographically secure (signed) random unique value on the tag itself, and keep all the other data somewhere else that all the legitimate readers are connected to?

    With a simple database, this is not a problem, since it is computationally infeasable to forge a signature like that.

    1. Re:Crypto? by Jesrad · · Score: 2, Interesting

      Let's say I have my own RFID tags, wich have a rewriteable serial number and higher signal power output. If I program them to masquerade as some random product I've walked past in the shop, then paste them onto the products I want to buy, could they mask the legit RFID and fool the reader ?

      --
      Maybe we deserve this world ?
  4. Burn that baby by BSAtHome · · Score: 1, Interesting

    You can also zap any tag with an overdosis of energy. The manufacturers do not give "Absolute Maximum Ratings" so easily for their tags, however, a microwave zaps all electronics.
    You can build a simple transmitter at 13.56MHz or an overtone combined with high gain antenna to transfer too much energy to the tag and gone it is.
    This can be made as a pocket transmitter...

  5. interesting article in Dr Dobbs this month as well by Anonymous Coward · · Score: 3, Interesting

    I don't think it's on the web yet but it describes how some RFID tags work (all of them? Some? I dont' know).

    Here's a summary:

    The scanner basically gets all the RFID tag info from all the tags at once, on the same frequency, which as you can imagine creates a lot of noise. In order to find out what tags are in the area, you have do a binary search. First ask all the tags that have a 1 in the first digit of their serial numbers to reply. Then the ones with zero. Then all of the "10's", the "11"'s, etc. And so on down the line, pruning empty subtrees as it goes, until it knows all the nearby RFID tags.

    The article described a custom RFID tag that just always responds to all serial numbers. Tying up the scanner for 1^64 (or is it 1^64 factorial?) iterations of the algorithm (forever, basically).

    Pretty neat. I will definitely be carrying one of those in the future. "Hey, whenever that guy comes in the store, all our inventory disappears"

  6. Re:No Tech is safe by Sique · · Score: 4, Interesting

    The fact, that relabelled barcodes are quite good to spot even for an untrained eye.

    Reprogrammed RFID-Chips are not to spot without the proper equipment. And if you use the self checkout lane, there is no one to spot anything except the machine which is programmed to look solely at the RFID chips.

    A way to prevent some misuses would be to ask the customer to scan at least the bar code too, so the check out machine can do a match between the RFID information and the bar code information. But THEN your argument holds true that the fraudulent customer could also relabel the good before going to the check out. A label scanner is not able to difference between a printed on bar code and a bar code that got stuck on by someone.

    --
    .sig: Sique *sigh*
  7. Even more fun! by ConsumedByTV · · Score: 2, Interesting

    This article is a trival example of something you can do, a bomb would be much more damaging and more of threat as RFID is used for ID (with regards to people, not products. Unless you consider for a second that it makes them products, but i digress).

    I really can't wait until we have time bombs that are a result of the number of times a given person walks by with their RFID tag on. 10, 11, 12, booom.

    Food for thought anyway.

    --


    "Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
  8. Easy detectable by Anonymous Coward · · Score: 1, Interesting

    All cheap rfid tags are passive, ie they require a fscking lot of induced power to operate. Any receiver with decent sensitivity tuned to the same frequency can detect the reading/{re}writing attempts, filter out the legitimate ones at the counters, mark the exact moment on the video surveillance system, close the shop doors and switch on the alarm.
    The shop personnel then examines the video at the given timeframe, find the thief and whack him/her
    in the head. Problem solved.

    1. Re:Easy detectable by panurge · · Score: 4, Interesting
      It depends if you know where the RFID tag is located. A coil that sat on the end of a finger, under Elastoplast with a layer of shielding, could easily be brought up next to the tag to reprogram it, resulting in a lower power demand and very short range detectability.
      Having done some research into metal detectors for -ahem- covert operations some years ago, I can assure you that there are ways and means within the scope of home build.

      Supermarkets would just love to ban people from bringing in mobile phones, palmtops, laptops in standby mode, and all the other gadgets that create background RF noise, wouldn't they? The whole object is to make it look as if you can just walk in, load up and walk out.

      --
      Panurge has posted for the last time. Thanks for the positive moderations.
  9. Re:Using EAN and RFID to shop ethically by panurge · · Score: 2, Interesting
    I can't find the reference, but I believe a student has already made a demonstrator as a college project.

    It should be pointed out that scanning the barcode is NOT photographing it and the shops would have difficulty arguing against the practice. If anything, it might direct shoppers to the ethical goods shelves where margins are higher...
    I think there is a case for aids for the partially sighted that would scan barcodes to report back what is on the shelf. Adding an ethical score to the internal database would be comparatively trivial.

    --
    Panurge has posted for the last time. Thanks for the positive moderations.
  10. Re:No Tech is safe by Zab+UvWxy · · Score: 3, Interesting

    Says who? Most, if not all, of the larger grocery stores (at least, up here in Canada) have self-checkout stations, where you scan your own purchases and pay for them all by yourself.

    Unless there's a problem getting a particular item to scan, you can go through the whole process without speaking to a store employee once.

    If you're going to go changing the bar codes, though, you can't make it too obvious; they might clue in that the $25 package of steaks should not be scanning in as $0.49 green onions.

    --
    "I don't get it." -- ObviousGuy
  11. Audits by mfh · · Score: 2, Interesting

    You might think self check-outs are easy to fool, but the fact is when they do an audit on the day, and realize that you've walked out with a load of stuff you didn't pay for, security is going to grab frames of you in the self-checkout and you'll be caught if you do it more than once. Sure if someone accidentally gets a deal on something once, they won't ban you from a store, but if your whole shopping spree is from a hacked slew of RFIDs, you'll find your picture on the wall of the security office and they'll pick you up if you go back.

    --
    The dangers of knowledge trigger emotional distress in human beings.
  12. Re:No Tech is safe by Elecore · · Score: 5, Interesting

    Also, the self checkout lines double check your items by weight. So if you scan your steaks as onions, it's going to see that your steaks weigh a lot more than the onions should and notify the person on duty.

  13. Re:No Tech is safe by Zab+UvWxy · · Score: 2, Interesting

    I guess that would depend on the type/model/manufacturer of the self-checkout kiosk; with the ones that Dominion and Zehr's use (don't know the manufacturer), scanning the UPCs does not require putting the individual item on the scale/scanner.

    However, I just realized that you may indeed be right; the area where you put the items into bags is also weighed (if you don't put an item in a bag, or if you remove one, the kiosk knows and will bitch about it).

    I guess it boils down to how well the store's product database has been populated, if they bothered to put all the weights in for each UPC.

    --
    "I don't get it." -- ObviousGuy
  14. Can be secured by jimngo · · Score: 3, Interesting

    I am working on an RFID client project at my company. There are read-only tags and read-write tags. The read-write tags can also be locked on a per-byte basis so that those bytes can never be written to again. Believe me, the system can be secured.

    By the way, the /.'er that dissed Walmart's technology because of his experience with their sales people is pretty myopic. I'm definitely no fan of Walmart--last time I stepped into one was about 10 years ago--but their distribution system is incredibly efficient. In 1993, their gross sales were $USD244 Billion. The U.S. GDP was 10.98 Trillion, so if my math is correct, their sales amounts to 2.2% of the U.S. GDP. That is a lot of inventory for a single company to move around the world. Of course, they have 3rd party distributors that bring in a lot of their products, but they still have to keep track of that as well.

    For mass retailers like Walmart, RFID will work much better than barcodes and it will probably be first implemented in the distribution system, not the sales system. One RFID tag will keep track of a single shipment lot, case, box, whatever.

    RFID tags will NOT replace barcodes in the forseeable future. But they can accomplish some things better than barcodes so they will coexist.

  15. More FUD, RFID hacking is actually harder .. by Anonymous Coward · · Score: 1, Interesting

    than hacking traditional inventory control systems.

    Storing metadata on a read/write tag? Well, that's obviously not secure. That's why the older ISO format with banked registers has been overlooked for the newer ePC format -- which allows the storing of a single 64 or 96 bit GUID. This key would be used to lookup things like price from a secured database.

    Not all tags are read/write -- Matrics ePC class 0 are encoded with a GUID at the factory, and are read only. Furthermore, tags that are read/write can be "locked", preventing future rewriting without knowing the unlock password.

    Granted, if a store is using ePC in "barcode" style, you could recode an expensive item to be the same as a cheaper item, thus, this proposed type of fraud is no different than "overwriting" a traditional inventory control device, such as placing your own sticker with a lower price or different barcode (of an item with a lower price) over the existing pricetag or barcode. The only difference here is that you will need a very expensive and portable tag reader/writer plus the tag unlock password, and/or access to the product database. Neither of which are very discreet.

  16. This is similar to pen-based bar-code hacking by Anonymous Coward · · Score: 1, Interesting

    I published a yellow-paper on this some time ago. If hackers bring a black pen into stores, it is trivial to modify the bar-codes on packaging. For example, you could turn a bottle of expensive liquor into an innocuous candy bar!