RFID More Hackable Than Retailers Think?

Iphtashu Fitz writes "Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH, is warning retailers that the RFID technology that they are quickly adopting can easily be hacked with the appropriate tools. Grunwald has written a program called RFDump which lets you read and display all metadata within an RFID tag and also modify the user data using a text or hex editor. He wrote this program to demonstrate how consumers can protect themselves by wiping out RFID data after purchasing a product but he acknowledges that it would be trivial to abuse this behavior. What, you might ask, can you do if you hack an RFID tag? Well as the technology is adopted more widely a thief could conceivably mark down the price of an expensive piece of jewelry before paying for it at an automated checkout counter, underage hackers could purchase alcohol or adult movies, and pranksters could simply reprogram the inventory of an entire store by just walking up and down the isles. 'The people who will be using this (shopkeepers) don't know much about technology,' Grunwald warned."

No Tech is safe

[KD5UZZ]

Can anyone point out a new technology that was 'safe' when it was first deployed? It seems that every new technology has some security defect, or some other flaw. This reminds me of DirectTV smart cards.

Re:No Tech is safe

[Sique]

The fact, that relabelled barcodes are quite good to spot even for an untrained eye.

Reprogrammed RFID-Chips are not to spot without the proper equipment. And if you use the self checkout lane, there is no one to spot anything except the machine which is programmed to look solely at the RFID chips.

A way to prevent some misuses would be to ask the customer to scan at least the bar code too, so the check out machine can do a match between the RFID information and the bar code information. But THEN your argument holds true that the fraudulent customer could also relabel the good before going to the check out. A label scanner is not able to difference between a printed on bar code and a bar code that got stuck on by someone.

Re:No Tech is safe

[Lumpy]

It's simple. instead of using the expensive reprogrammable rfid tags you use the cheaper PROM rfid tags.

you set them once and they stay that way forever.

The story is nothing but high brow FUD.

not all RFID tags are the rewriteable type. most are the single write read many variety. and nothing is to stop a manufacturer like coke from ordering their rfid tags preprogrammed. not every can of coke needs a different tag. (just like hoe they dont have different barcodes on them.

Re:No Tech is safe

[Muad'Dave]

...not every can of coke needs a different tag.

It depends on what you're trying to accomplish. If you're attempting to take inventory by using RFID tags, having a product ID and serial number in the tag is a good thing. You can wave the reader around a shelf and know how many cans of Coke you have in six packs, 12 packs, 20 oz, etc (each different form factor would have a unique product ID).

Similarly, a drink machine could contain a reader coil around the inside of the refrigerated box that could poll the contents of the machine and set prices accordingly (today I have 20oz Coke bottles - they're $1. The Red Bulls are $2, etc). The machine could also 'call home' when a particular item runs low. There are lots of reasons to have unique IDs on otherwise identical products.

Re:No Tech is safe

[dnoyeb]

Yes rubbish.

Its a TAG which contains METAdata, not data.

It does not contain item prices or consumer behavior. Its an ID for crying out loud. the actual ID number is fixed and not changeable. Plus most have a crypto mode, which can be locked on permanantly. Once locked, the data can still be changed, but you need the special key and whatnot, which means you need to break the encryption. Its not trivial.

The space on the tag is used for identification purposes ONLY. The tracking is done by a database elsewhere.

We be tagging whales and wild animals for years, but you dont put the info in the tag, you put it in a database, duh.

Re:No Tech is safe

[Elecore]

Also, the self checkout lines double check your items by weight. So if you scan your steaks as onions, it's going to see that your steaks weigh a lot more than the onions should and notify the person on duty.

Reprogramming

[Amiga+Lover]

and pranksters could simply reprogram the inventory of an entire store by just walking up and down the isles

What quicker way to make life insanely difficult for a retailer who forces the use of these things upon customers.

How much would it cost to re-manualise their systems if they keep on just losing track of the info in their RFID tags. Hw many would even bother after the 2nd time.

Looks good

Its easy

[kunjan1029]

i dont think anyone could mark down stuff. because the price is not stored in the RFID itself. its a seperate database that matches with the product code. but yeah the thief might be able to change the product code to another cheap product. and thereby acheive the same thing

just my 0.02

Re:Its easy

[rokzy]

no, that is NOT the same thing.

if the description doesn't fit the checkout assistant won't allow the sale.

if you use an automated checkout, then why bother even changing it? you won't have the correct item on your receipt so no proof of purchase if stopped by security.

all it would allow is you to claim someone else did it if you get caught. but if you have the RFID writer on you that won't work. you'll have to get rid of it but with security cameras everywhere that won't necessarily work.

Re:Its easy

[Asic+Eng]

all it would allow is you to claim someone else did it if you get caught. but if you have the RFID writer on you that won't work.

So you have an accomplice do the remarking, he walks out after purchasing a chocolate bar, then it's your turn with the expensive stuff. Or you just go into the store twice, once with the RFID writer, and once to collect the stuff.

W-O-R-M

[usefool]

Is it possible to make RFID write once read many? So the product info is in the tag, and price/special/discount is cross-referenced with a database.

Is there any advantage for embedding prices in the tag?

Re:W-O-R-M

[will_die]

They don't do the price, they do a product code. The product code is read in at the checkout counter and compared to the database to get the price. same with barcodes currently being used.
In addition each rfid has a unique number, which cannot be changed. If the store wanted to they could record thoses individual numbers instead of the product code and that would solve the problem. However that would be a major problem, since instead of having a single product code for 1000 items you now have to store thoses 1000 item in the database.

Re:W-O-R-M

[Jesrad]

Would it be possible to overlay a forged signal when the tag is interrogated, if I'm standing close enough from the reader ?

Re:W-O-R-M

[gd23ka]

This question deserves both: to be modded up and an answer.

First of all, there are no widely adopted international standards for RFID but there is work on ISO 18000, so it all depends on whether your reader/forger supports a given tag's vendor protocol.

The next problem is that RFID systems can operate at different frequencies, the most common ones are 125KHz - 148KHz, high at 13.56 MHz, UHF 850-915MHz and even at 2.45 GHz in the ISM band.

The tags that will be used in retail at automated checkout counters all have a scheme for preventing tag-collision that occurs when tags respond simultaneously to the reader. In order to hide a $800 digital cam-corder the following would have to happen:

You bring the forger into the store and operate it where it is not in view of the many security cameras staring at you

You research the store for a low price article that matches within tolerance what the cam-corder weighs. What that tolerance is,will be open to your own research. Setting the forger to lowest sensitivity / lowest transmit power you read the RFID data of the low-price article. Make double sure the data you read is from the low-price article and not from one of the thousands of tags surrounding you.

The low-price article may have individual identifying RFID data that must NOT be scanned at the checkout counter, not even after you and maybe your helper have left the store (Remember the security cameras, they could potentially match up your face at the automatic checkout with the article!). Also, again if the RFID data uniquely identifies the article another customer could take it to the automatic checkout and the system could mark the article as already sold in its database meaning you can't purchase it in lieu of the cam-corder. You must disable / destroy the low-price article's RFID tag either physically or with the forger.

You set the forger to the lowest sensitivy / lowest transmit power to read out the RFID data of the cam-corder. Make sure you get the right RFID data because you will be surrounded by tons of RFID tags. (BTW, it may be safer to read out the RFID data of the cam-corder you want one day and maybe have someone else get it the next day, but if you do that then make sure you mark the box some way that you or your helper takes the right cam-corder to the checkout. This may be because each cam-corder may have unique RFID data).

You take the cam-corder to the checkout and flip the forger into forge-mode. The forger monitors the radio communication at the reader forcing the transmission of the low-price article's RFID data utilizing the vendors tag-collision protocol to quiet the cam-corders tag. After transmitting the low-price article RFID data the forger jams the reader making the automatic checkout believe this is the only article being presented for purchase.

Complete the purchase with cash or with credit/debit cards not linked to you.

Crypto?

[sk6307]

Why not simply store only a cryptographically secure (signed) random unique value on the tag itself, and keep all the other data somewhere else that all the legitimate readers are connected to?

With a simple database, this is not a problem, since it is computationally infeasable to forge a signature like that.

they've got it covered...

[User+956]

well DUH.. the DMCA will prevent all of this! Because if something is illegal, obviously nobody will do it!

Barcodes are unsafe too.

[JanMark]

When barcodes were introduced, retailers feared barcode swappers, because barcodes were not printed on partitioned labels, like those small price labels used to be (If you can remeber when all items were (manually) priced, you are getting old.) It turned out not to be to big a problem (now most barcodes are printed).

However, when you can automate something, that is an differend story. With tag swapping, you can play the percentage game, usually the number of individual swappers is small. With automated swapping (esp. wireless), one individual can swap everything. That is a true risk.

However like the step from label to printon bar code. There is only a small window of opportunity.
In the near future, we will see read-only tags, embedded during the production fase.

Competitors

[detritus.]

One thing I have always seen as a potential problem is a store's competitors using RFID scanners to take inventory and/or monitor what their competitor's customers are walking out of the store with.
Any data you can get on your competitors is certainly better than none at all.

Using EAN and RFID to shop ethically

[zyche]

I have an idea that I've been thinking about for a while.

Some of us choose what to buy on the basis on how well-behaved the producing company is. Nothing new here. Some "bad" companies and their products are easy to indentify: I try to not buy anything from Nestle (breastmilk substitute in Africa), McDonalds (cutting down rainforests), and so on. As you can see from my reasons, they are probably a bit outdated as it can be hard to get good consumer information through the media noise.

Ok, heres the thing: most products these days have an EAN/UCC code. The number in that code includes an identifier for the selling company. What if the Internet community would create a database of companies and start setting grades on them with regards to product quality, environment concern, workforce treatment, and so on?

"But it would be too much of a hassle to query the database each time one buy cerials" you say. Sure, but consider two things:

• Most mobilephones today (and certainly more in the future) have a builtin camera. Use that to photograph the EAN code, run a picture recognition program (in the phone ofcourse) and either compare to a snapshot database in the phone or check the online database directly!
• You will quickly learn to avoid certain brands, and also educate people in your surrondings (friends, relative, etc).

How do RFID fit into this? Well, imagine a clock that vibrates when you are about to touch some ethically questionable item! :-D

RFIDs have been creating a lot of interest in the industry as it gives them better control over where items are, who buys them, if they return, etc. Now, if consumers could easily boycott a company due to bad quality or unethically behavior, the whole idea could backfire on them!

Non-issue for store tags

[paulikoira]

Concerning expensive RFID tag applications like public tranport prepaid accounts, this could be a problem. More expensive crypto tags solve that problem.

Concerning stores, this is stupid. Retailers don't need expensive reprogrammable tags and don't use them. Cheap tags are just a unique ID number which can't be changed. Any decent retailer saves money on tags and increases security by using cheap tags (no data storage, just a fixed number) and keeping their price and product data in a database keyed to these ID numbers. So talk of walking through Wal-mart and saving money or causing chaos is fantasy.

Conclusion: it is only the medium price (storage but no crypto) tags which are and always have been a risk. The only contribution of this program is raising wider awareness and thus breaking illusory security through obscurity.

Not everyone can really write to tags

[happynut]

This case was already covered in the older RFID specs that used to appear at www.autoidcenter.org (they have since become viewable to membersonly when they handed standards off to www.epcglobalinc.org several months ago).

In order to write data to the tag you needed to know a 64bit number that was programmed into the tag. The standard didn't say how you set that number; that was policy reserved to the tag programmer. But in order to have a write command accepted, you needed to match the previously programmed number.

So if commercially deployed tags really are generally writeable it is more of an administration problem (like leaving telnet enabled on public facing servers) than a failure to consider the problem at all.

Why these people are fucked.

[syberanarchy]

Let's be honest, the biggest advocate of this stuff (walmart) isn't exactly the employer of rocket scientists. I have called them before at midnight, asking if they had Socom and the PS2 Net Adapter (when that was the "new thing.")

"Oh, yeah, we have it."

I get there, and it turned out they didn't have it. They had an AC Adapter.

A clerk who cannot tell the difference between something that lets you go on the internet and something that plugs into the electric socket will be easily fooled by the RFID swap. Even if someone DOES check your bag, do you think "Joe Walmart" is really going to be acute enough in his observation to recognize that you've got the high end ATI card, and not the 9600? Doubtful.

It'll be great to watch Wal-Mart reap the fruit of the seed they've sown - lost merchandise, lost profits, etc. And it's quite fitting that this really has nothing to do with RFID, but their unwillingness to go the extra mile to spend a few more bucks to get employees who know what they are doing.

Re:Japanese already using RFID in cellphones

[line.at.infinity]

FeliCa chips are already in SuiCa cards which have been used for paying train toll fees for awhile now. RFID is also already used in the US - EZPass for automatically paying highway tolls in the New England area, I-Pass for Illinois, and Im sure other states have similar technologies that are the same. Unlike disposable RFIDs on grocery items, FeliCa chips are more expensive, so it can use more secure technology such as encryption.

There's no sane reason why RFID should have a feature added that would allow wireless re-writes. It costs more and it only adds a security issue. RFDump doesn't overwrite data stored in any RFID. It's just a spreadsheet program, and of course it can modify the data in the spreadsheet cells, but it's not changing the data stored in the original source! Note that on RFDump's webpage itself, they claim that it only works with RFID READERS - that is, it can't MODIFY the source RFID data. RFDump can import RFID data to a computer, and change the RFID data within the computer's memory - no RFID chip modified! RFDump can't do that. But apparently it's good enough for creating a hyped up CNet article. I think CNet is only covering RFID obsessively because it's a buzzword and it can bring in alot of eyeballs to their website - that's why they like to write so many super-exaggerated RFID articles.

The solution:

[nahdude812]

Legislation.

We'll just release poorly thought out technology that promises things older tech's can't deliver, but make sure not to put in the press releases that mayhem can ensue from its use. Then when someone discovers this, we'll just see to it that it's illegal to own equipment capable of performing these operations (despite their otherwise legitimate uses), and so we have protected our customers by giving them a false sense of security while sacrificing another tiny bit of essential liberty.

Some SCO's, maybe.

[ONU+CS+Geek]

From what the submitter had mentioned, he thought it would be possible to reprogram RFID tags to use to cheat a SCO...I'm not really sure about how the RFID stuff works, so I can't really say much about that, however, I do know a bit about the SCO's.

Some SCO's (namly those by ACM/IBM) have a secondary server that handle the interactions with the cash register controllers (sometimes called the BOSS server). They have a 'security profile' that lets a SCO learn pieces of information about an item (dimensions, weight, that kinda thing) and if the item doesn't match a security profile, it'll kick it back, until a cashier scans their card to get it to learn the item.

Other SCO's use a weight-based system. I'm not totally sure if the scales weigh all items and go from item to item specifically, or from item to item just to see if the item's been placed in the 'bagging' area (if not a pass around item).

A properly set-up SCO won't allow things like this anyway. Really, nothing more than barcode switching.

Re:Easy detectable

[panurge]

It depends if you know where the RFID tag is located. A coil that sat on the end of a finger, under Elastoplast with a layer of shielding, could easily be brought up next to the tag to reprogram it, resulting in a lower power demand and very short range detectability.
Having done some research into metal detectors for -ahem- covert operations some years ago, I can assure you that there are ways and means within the scope of home build.

Supermarkets would just love to ban people from bringing in mobile phones, palmtops, laptops in standby mode, and all the other gadgets that create background RF noise, wouldn't they? The whole object is to make it look as if you can just walk in, load up and walk out.

RFID Tags

[butlerdi]

The tags do not generally contain data and for the most part are read only in the new systems. The tag only contains an identifier which is used to access the info just like a barcode. Changing the number to another at the checkout would still display the id of the product. You have a watch at the checkout and the till shows a tin of beans.... These systems are not that easy to hack in reality, at least no more so than barcodes. Most people do not change the price tags either out of honesty or fear of being caught. I doubt very much that jewelry stores will ever have self checkout lanes.

Tin Foil Hats Keeps The RFID away

[Shihar]

Time to take the tinfoil hat off. The reason why merchants are slavering over RFID is not because they are stroking their evil beards while thinking up ways to trick you into the matrix vats. The biggest reason why RFID is exciting is because it means they can inventory a shelf just by having a guy sweep a scanner across it in a matter of seconds. Hell, they could inventory an entire warehouse in a matter of seconds. They are excited because you can go to the checkout line, swipe your credit card and grab your recipe on the way out without ever having to glance at a human.

Now, could RFID be used to track your movements? Potentially, but so could a camera with facial recognition. RFID chips could simply be implanted with the ability to deactivate once the transaction is complete.

Even taking the worst case scenario, all the evil corporations collaborate to track what you buy and where you go, what do you think they are going to do with that data, send in a corporate death squad to off you? At worst, they are going to take all that data, shove it into a computer, decide what it is you seem to be inclined to buy, and try and sell you stuff some computer algorithm thinks you are likely to want. Annoying if it results in more spam in your mail box? Sure. The end of liberty? Hardly.

Honestly, corporations worry me the least. When I deal with a corporation, it is generally a voluntary transaction. Abercrombie can't put a gun to my head and force me to pay double the price to buy a shirt with their ugly corporate logo smeared across it. If I am dumb enough to buy it, well, I was dumb enough to buy it. If anything gives me pause, it is the government. If I tell the government I don't feel like paying for social security this year because I would rather invest that money myself, they CAN point a gun to my head and tell me that I am mistaken and I in fact DO want to buy social security this year.