Slashdot Mirror
RFID More Hackable Than Retailers Think?
Iphtashu Fitz writes "Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH, is warning retailers that the RFID technology that they are quickly adopting can easily be hacked with the appropriate tools. Grunwald has written a program called RFDump which lets you read and display all metadata within an RFID tag and also modify the user data using a text or hex editor. He wrote this program to demonstrate how consumers can protect themselves by wiping out RFID data after purchasing a product but he acknowledges that it would be trivial to abuse this behavior. What, you might ask, can you do if you hack an RFID tag? Well as the technology is adopted more widely a thief could conceivably mark down the price of an expensive piece of jewelry before paying for it at an automated checkout counter, underage hackers could purchase alcohol or adult movies, and pranksters could simply reprogram the inventory of an entire store by just walking up and down the isles. 'The people who will be using this (shopkeepers) don't know much about technology,' Grunwald warned."
Can anyone point out a new technology that was 'safe' when it was first deployed? It seems that every new technology has some security defect, or some other flaw. This reminds me of DirectTV smart cards.
-Daniel
KD5UZZ
www.w5yj.org
and pranksters could simply reprogram the inventory of an entire store by just walking up and down the isles
What quicker way to make life insanely difficult for a retailer who forces the use of these things upon customers.
How much would it cost to re-manualise their systems if they keep on just losing track of the info in their RFID tags. Hw many would even bother after the 2nd time.
Looks good
i dont think anyone could mark down stuff. because the price is not stored in the RFID itself. its a seperate database that matches with the product code. but yeah the thief might be able to change the product code to another cheap product. and thereby acheive the same thing
just my 0.02
Doesnt everything go like this? Im sure they will find a solution to the problem... then a new hack will come out... then a solution will come out...
Is it possible to make RFID write once read many? So the product info is in the tag, and price/special/discount is cross-referenced with a database.
Is there any advantage for embedding prices in the tag?
Uselessful technology (Air-Charged
...but I'd love to walk their aisles with something like this in my pocket and do my own price rollbacks!
Loading...
Why not simply store only a cryptographically secure (signed) random unique value on the tag itself, and keep all the other data somewhere else that all the legitimate readers are connected to?
With a simple database, this is not a problem, since it is computationally infeasable to forge a signature like that.
well DUH.. the DMCA will prevent all of this! Because if something is illegal, obviously nobody will do it!
The theory of relativity doesn't work right in Arkansas.
When barcodes were introduced, retailers feared barcode swappers, because barcodes were not printed on partitioned labels, like those small price labels used to be (If you can remeber when all items were (manually) priced, you are getting old.) It turned out not to be to big a problem (now most barcodes are printed).
However, when you can automate something, that is an differend story. With tag swapping, you can play the percentage game, usually the number of individual swappers is small. With automated swapping (esp. wireless), one individual can swap everything. That is a true risk.
However like the step from label to printon bar code. There is only a small window of opportunity.
In the near future, we will see read-only tags, embedded during the production fase.
-- (:> jms cs.vu.nl (_) --"---
I don't think it's on the web yet but it describes how some RFID tags work (all of them? Some? I dont' know).
Here's a summary:
The scanner basically gets all the RFID tag info from all the tags at once, on the same frequency, which as you can imagine creates a lot of noise. In order to find out what tags are in the area, you have do a binary search. First ask all the tags that have a 1 in the first digit of their serial numbers to reply. Then the ones with zero. Then all of the "10's", the "11"'s, etc. And so on down the line, pruning empty subtrees as it goes, until it knows all the nearby RFID tags.
The article described a custom RFID tag that just always responds to all serial numbers. Tying up the scanner for 1^64 (or is it 1^64 factorial?) iterations of the algorithm (forever, basically).
Pretty neat. I will definitely be carrying one of those in the future. "Hey, whenever that guy comes in the store, all our inventory disappears"
i have seen pranksters swap prices tags on items many times before (no special equipment needed). The only more or less robust system seems barcodes...
When will I end this grieving ? When will my future begin ?
1^64 (or is it 1^64 factorial?)
i hope you're trolling, because both numbers are 1
One thing I have always seen as a potential problem is a store's competitors using RFID scanners to take inventory and/or monitor what their competitor's customers are walking out of the store with.
Any data you can get on your competitors is certainly better than none at all.
I have an idea that I've been thinking about for a while.
Some of us choose what to buy on the basis on how well-behaved the producing company is. Nothing new here. Some "bad" companies and their products are easy to indentify: I try to not buy anything from Nestle (breastmilk substitute in Africa), McDonalds (cutting down rainforests), and so on. As you can see from my reasons, they are probably a bit outdated as it can be hard to get good consumer information through the media noise.
Ok, heres the thing: most products these days have an EAN/UCC code. The number in that code includes an identifier for the selling company. What if the Internet community would create a database of companies and start setting grades on them with regards to product quality, environment concern, workforce treatment, and so on?
"But it would be too much of a hassle to query the database each time one buy cerials" you say. Sure, but consider two things:
How do RFID fit into this? Well, imagine a clock that vibrates when you are about to touch some ethically questionable item! :-D
RFIDs have been creating a lot of interest in the industry as it gives them better control over where items are, who buys them, if they return, etc. Now, if consumers could easily boycott a company due to bad quality or unethically behavior, the whole idea could backfire on them!
This article is a trival example of something you can do, a bomb would be much more damaging and more of threat as RFID is used for ID (with regards to people, not products. Unless you consider for a second that it makes them products, but i digress).
I really can't wait until we have time bombs that are a result of the number of times a given person walks by with their RFID tag on. 10, 11, 12, booom.
Food for thought anyway.
"Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
Concerning expensive RFID tag applications like public tranport prepaid accounts, this could be a problem. More expensive crypto tags solve that problem.
Concerning stores, this is stupid. Retailers don't need expensive reprogrammable tags and don't use them. Cheap tags are just a unique ID number which can't be changed. Any decent retailer saves money on tags and increases security by using cheap tags (no data storage, just a fixed number) and keeping their price and product data in a database keyed to these ID numbers. So talk of walking through Wal-mart and saving money or causing chaos is fantasy.
Conclusion: it is only the medium price (storage but no crypto) tags which are and always have been a risk. The only contribution of this program is raising wider awareness and thus breaking illusory security through obscurity.
Who would be silly enough to purchase programmable RFID tags.
In any secure application you don't keep the important info on the portable device! You put it in a secure database where all the security risks are known. The RFID tags should have a non-programmable, non-erasable fixed unique code.
The scaremongering that this thread typifies is both stupid and done to death.
I for one would be delighted to see smirking hackers walking along the aisles of departement stores, wiping every RFID tag in site. At least that would wipe the smirks off the faces of marketing execs who lust after every intimate detail of our lives.
If they try to kick you out, dump the zapper in some old ladies trolley. She'll march about for hours, wiping any spy gadgets in the buliding. Some might construe this as vandalism, but I construe reading dozens of RFID tags, covertly embedded in every item I buy, an illegal search.
Of course execs will find some law (can you say DMCA) to label any such defenders of privacy evil criminals who seek to undermine the economy and of course the usual line, RFID helps fight terrorism or some such rubbish. They're probobly looking for a way to make RFID blocker tags illegal as well.
Unfortunatly, the solution may be simply to make RFIS tags read only, further compounding the privacy issue.
May the Maths Be with you!
In order to write data to the tag you needed to know a 64bit number that was programmed into the tag. The standard didn't say how you set that number; that was policy reserved to the tag programmer. But in order to have a write command accepted, you needed to match the previously programmed number.
So if commercially deployed tags really are generally writeable it is more of an administration problem (like leaving telnet enabled on public facing servers) than a failure to consider the problem at all.
"Oh, yeah, we have it."
I get there, and it turned out they didn't have it. They had an AC Adapter.
A clerk who cannot tell the difference between something that lets you go on the internet and something that plugs into the electric socket will be easily fooled by the RFID swap. Even if someone DOES check your bag, do you think "Joe Walmart" is really going to be acute enough in his observation to recognize that you've got the high end ATI card, and not the 9600? Doubtful.
It'll be great to watch Wal-Mart reap the fruit of the seed they've sown - lost merchandise, lost profits, etc. And it's quite fitting that this really has nothing to do with RFID, but their unwillingness to go the extra mile to spend a few more bucks to get employees who know what they are doing.
FeliCa chips are already in SuiCa cards which have been used for paying train toll fees for awhile now. RFID is also already used in the US - EZPass for automatically paying highway tolls in the New England area, I-Pass for Illinois, and Im sure other states have similar technologies that are the same. Unlike disposable RFIDs on grocery items, FeliCa chips are more expensive, so it can use more secure technology such as encryption.
There's no sane reason why RFID should have a feature added that would allow wireless re-writes. It costs more and it only adds a security issue. RFDump doesn't overwrite data stored in any RFID. It's just a spreadsheet program, and of course it can modify the data in the spreadsheet cells, but it's not changing the data stored in the original source! Note that on RFDump's webpage itself, they claim that it only works with RFID READERS - that is, it can't MODIFY the source RFID data. RFDump can import RFID data to a computer, and change the RFID data within the computer's memory - no RFID chip modified! RFDump can't do that. But apparently it's good enough for creating a hyped up CNet article. I think CNet is only covering RFID obsessively because it's a buzzword and it can bring in alot of eyeballs to their website - that's why they like to write so many super-exaggerated RFID articles.
Legislation.
We'll just release poorly thought out technology that promises things older tech's can't deliver, but make sure not to put in the press releases that mayhem can ensue from its use. Then when someone discovers this, we'll just see to it that it's illegal to own equipment capable of performing these operations (despite their otherwise legitimate uses), and so we have protected our customers by giving them a false sense of security while sacrificing another tiny bit of essential liberty.
Slay a dragon... over lunch!
From what the submitter had mentioned, he thought it would be possible to reprogram RFID tags to use to cheat a SCO...I'm not really sure about how the RFID stuff works, so I can't really say much about that, however, I do know a bit about the SCO's.
Some SCO's (namly those by ACM/IBM) have a secondary server that handle the interactions with the cash register controllers (sometimes called the BOSS server). They have a 'security profile' that lets a SCO learn pieces of information about an item (dimensions, weight, that kinda thing) and if the item doesn't match a security profile, it'll kick it back, until a cashier scans their card to get it to learn the item.
Other SCO's use a weight-based system. I'm not totally sure if the scales weigh all items and go from item to item specifically, or from item to item just to see if the item's been placed in the 'bagging' area (if not a pass around item).
A properly set-up SCO won't allow things like this anyway. Really, nothing more than barcode switching.
I disable sigs...do you?
The inside of soda machines are all segregated columns filled with the various sugar drinks. Each column contains a seperated type of drink, although a few columns could contain the same drink, that's just an matter of local preferences.
Since each column is limited to one type of drink the machine can easy test how many of each brand are left and notify 'home' that they are running low. Which won't necesarily mean it will be filled quicker, it just means they know exactly what to bring to the machine. Distributors don't often change their routes since it allows them to send drivers out less often, servicing more machines without having to go back and forth all that often.
There is no reason to put an FRID into the cans going into Drink Machines. They serve no purpose that isn't already covered by tried and true technology.
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
13.56MHz is the top edge of a radioastronomy allocation (13.41-13.56); it is "Long Wave" and well below: the 27MHz CB band, the 54-72 MHz broadcast TV channels 2-4, the 76-88 MHz broadcast TV channels 5-6, the 88-108 MHz FM broadcast band, the 174-216 MHz broadcast TV channels 7-13 . . .
If you plan to generate enough RF at that frequency to "burn that baby", the power supply you tow behind you will give you away - moreover, any significant RF power in that range calls for -gasp- TUBES - say a pair of 6LQ6 in push-pull - but that is still way below their normal operating range ~18-30 MHz.
Also, the core flaw in this scheme (at any frequency) is that pesky (and easily detected) RFI you generate while walking around the store.
Operation of an unregulated transmitter, for a frequency you don't have a license to operate at is a federal crime (think FCC and pirate radio stations); also consider how your plan might effect legit radio/ranging (crashing aircraft on approach is discouraged) or, assuming that you actually find a way to beam microwaves (requires a waveguide) you might just cook bio-matter (the baby's corneas in the next isle or your fingers).
Once any sophisticated reprogrammer is available, you can be certain you will be treated EXACTLY the same way as people who print their own money: counterfeiters go to jail for a long time.
Having done some research into metal detectors for -ahem- covert operations some years ago, I can assure you that there are ways and means within the scope of home build.
Supermarkets would just love to ban people from bringing in mobile phones, palmtops, laptops in standby mode, and all the other gadgets that create background RF noise, wouldn't they? The whole object is to make it look as if you can just walk in, load up and walk out.
Panurge has posted for the last time. Thanks for the positive moderations.
The tags do not generally contain data and for the most part are read only in the new systems. The tag only contains an identifier which is used to access the info just like a barcode. Changing the number to another at the checkout would still display the id of the product. You have a watch at the checkout and the till shows a tin of beans.... These systems are not that easy to hack in reality, at least no more so than barcodes. Most people do not change the price tags either out of honesty or fear of being caught. I doubt very much that jewelry stores will ever have self checkout lanes.
"If the King's English was good enough for Jesus, it's good enough for me!" -- "Ma" Ferguson, Governor of Texas (circa
You might think self check-outs are easy to fool, but the fact is when they do an audit on the day, and realize that you've walked out with a load of stuff you didn't pay for, security is going to grab frames of you in the self-checkout and you'll be caught if you do it more than once. Sure if someone accidentally gets a deal on something once, they won't ban you from a store, but if your whole shopping spree is from a hacked slew of RFIDs, you'll find your picture on the wall of the security office and they'll pick you up if you go back.
The dangers of knowledge trigger emotional distress in human beings.
I would expect that instead of actually fixing the technology (if possible) adopters and promoters of RFID will start a massive campaign of lobbying for harsh federal laws that make it illegal to possess, create or look at any device that could possibly be used in "hacking" RFIDs. These would include (but are not limited to:
RF detectors
Calculators
pencils
human brain
words
-I'm not the troll you're looking for.
Sig
Appended to the end of comments you post. 120 chars
At least RFID can handle some types of encryption. A encryption key can be kept in the reader and since it doesn't have to be broadcast this isn't necessarily a huge problem. And since RFIDs can be managed automatically if someone really was worried the whole system could check and rewrite each items data once a day or something to make use of a new encryption key.
Some people have already looked in to this, although of course retailers don't pay attention anyway.
Presently here, but not there.
I'm sure they all love their jobs and take them seriously.
You better watch out, there may be dogs about . .
Time to take the tinfoil hat off. The reason why merchants are slavering over RFID is not because they are stroking their evil beards while thinking up ways to trick you into the matrix vats. The biggest reason why RFID is exciting is because it means they can inventory a shelf just by having a guy sweep a scanner across it in a matter of seconds. Hell, they could inventory an entire warehouse in a matter of seconds. They are excited because you can go to the checkout line, swipe your credit card and grab your recipe on the way out without ever having to glance at a human.
Now, could RFID be used to track your movements? Potentially, but so could a camera with facial recognition. RFID chips could simply be implanted with the ability to deactivate once the transaction is complete.
Even taking the worst case scenario, all the evil corporations collaborate to track what you buy and where you go, what do you think they are going to do with that data, send in a corporate death squad to off you? At worst, they are going to take all that data, shove it into a computer, decide what it is you seem to be inclined to buy, and try and sell you stuff some computer algorithm thinks you are likely to want. Annoying if it results in more spam in your mail box? Sure. The end of liberty? Hardly.
Honestly, corporations worry me the least. When I deal with a corporation, it is generally a voluntary transaction. Abercrombie can't put a gun to my head and force me to pay double the price to buy a shirt with their ugly corporate logo smeared across it. If I am dumb enough to buy it, well, I was dumb enough to buy it. If anything gives me pause, it is the government. If I tell the government I don't feel like paying for social security this year because I would rather invest that money myself, they CAN point a gun to my head and tell me that I am mistaken and I in fact DO want to buy social security this year.
I am working on an RFID client project at my company. There are read-only tags and read-write tags. The read-write tags can also be locked on a per-byte basis so that those bytes can never be written to again. Believe me, the system can be secured.
/.'er that dissed Walmart's technology because of his experience with their sales people is pretty myopic. I'm definitely no fan of Walmart--last time I stepped into one was about 10 years ago--but their distribution system is incredibly efficient. In 1993, their gross sales were $USD244 Billion. The U.S. GDP was 10.98 Trillion, so if my math is correct, their sales amounts to 2.2% of the U.S. GDP. That is a lot of inventory for a single company to move around the world. Of course, they have 3rd party distributors that bring in a lot of their products, but they still have to keep track of that as well.
By the way, the
For mass retailers like Walmart, RFID will work much better than barcodes and it will probably be first implemented in the distribution system, not the sales system. One RFID tag will keep track of a single shipment lot, case, box, whatever.
RFID tags will NOT replace barcodes in the forseeable future. But they can accomplish some things better than barcodes so they will coexist.
What is cool about the RFID stuff is that I bet with the right antenna, you could do the reprogramming from the parking lot, and do a whole shelf full (store full?) at once. Suddenly, everything in the store is a 50 cent pack of Wrigley's...
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
While I agree with you for certain bits of data, I think you are over-generalizing. Data like item identifiers used to say "this is a 12-pack of Pepsi" should be static. But other bits of data, like the date the item was last inventoried, and the ID of the employee who performed the inventory would be valuable rewritable fields. Sure, some jackass could come in an overwrite all the inventory fields with "RFID iz teh suckz", but the same jackass could take down those inventory stickers you sometime see, or peel off all the barcodes.
I don't like the idea of RFID being used to track consumer purchasing, but I can certianly see it's appeal.
These things are teeny tiny and could easily be placed in the stitching of a T-shirt where you couldn't find it. The smalest ones i know of are as small as a grain of rice.
...... it's the gestalt of all the little specifics that add up to a general wrongness. RFID tracks the part, thew widget, then you use a store card or cc or cash to buy it. They have cameras as well that go to the mix. Add in location of where you are at with a cellphone, yada yada yada, it isn't any ONE of those things that is wrong, it's ther ability to eventually tie them all in together that's wrong. I don't want a total surveilled/controlled/command and controlled society, which is exactly where this rfid stuff-and everything else- is heading, and make NO mistake, at some time the government is going to insist by law that you have a complex rfid implanted.
Totalitarian regimes don't spring up overnight, they take some time and come at you from many diverse areas, and rfid is definetly one of the areas they are going to use. Here is my original thought again
I am a human, a soverign man, distinct, unique, I am more important than business and government or their convenience. I am NOT their inventory.
The more they can tie "inventory" and "tracking" and "this is now part of the database" to *everything* you do, the closer we come to US human folks as individual soverign humans to be their "inventory".
It's a really large general concept that is made up of all the other smaller bits of data, rfid tracking is just one of them, it is not "the" only part, but I would say it's a pretty important part.
Want to know when it changed in society, where this mindshare paradign to "humans are the inventory, too" shifted? Exactly when we stopped being called "personel" and got turned into "human resources".
I've been pondering the security implications of this stuff lately.
Most of the places I've worked over the past few years use RFID based access controls.
If I scanned someone's security badge with my wrist watch, then went home and programmed another RFID to match it, I would get access to controlled areas...
O=='=++
Why not just have one of the RFID data fields be a digitally signed MD5 checksum on the entire record? In-store scanners could verify the encrypted checksum then hackers would need the store's private encryption key to modify the checksum field.
Seems the discussion here has been mainly about ripping off the retailer. I think the idea of erasing them after purchase for privacy reasons is far more improtant.
However, another way to look at it is as a cheap way to get tags to use at home. I've got large collections of CDs, videos, and books in my house, and it's always a real pain in the ass trying to find something I haven't used in a couple years. If I'm getting all these RFID tags for free in the products I buy anyway, and I'm able to erase and rewrite them easily, then perhaps I can remove them from the products and redeploy them into my books, CDs, etc, and then use an RFID reader to more easily find things.
Sure, it would be a long-term project to get everything tagged and inventoried, but so what? I'd be able to easily find things I'd already tagged, and if I have to search for something that wasn't tagged, it would be easy enough to tag it once I find it.
Anyone who frequents Laser Quest (a laser tag arena) knows that they use Maxim/Dallas Semiconductor iButton devices to activate the "blaster" with your callsign and to keep track of statistics. The problem with this is that anybody with a knowledge of microcontrollers and some basic hardware skills (such as, ahem... moi) can rig up a simple unit to read and write to them (using a serial protocol called 1Wire). While this might not seem particularly relevant to the topic, it demonstrates the same concept, which is that if you make widespread use of a low-cost technology that nerds have free access to, it's only a matter of time until one of them starts to get curious. And then you're screwed. ;)
Great. Now a legal, useful, and important use of technology
He wrote this program to demonstrate how consumers can protect themselves by wiping out RFID data after purchasing a product
is likely to be outlawed because of fear of abuses. Not unlike P2P. I predict much FUD coming about this technology from the RFID peddlers, as well as cries for Congress/FTC/FCC to "do something about it!"
Global warming is neither science, nor politics. It is a religion.
Barcodes are scanned only where and when you buy something. But RFIDs can be read without your knowledge by anyone with a suitable scanner.