RFID More Hackable Than Retailers Think?

Iphtashu Fitz writes "Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH, is warning retailers that the RFID technology that they are quickly adopting can easily be hacked with the appropriate tools. Grunwald has written a program called RFDump which lets you read and display all metadata within an RFID tag and also modify the user data using a text or hex editor. He wrote this program to demonstrate how consumers can protect themselves by wiping out RFID data after purchasing a product but he acknowledges that it would be trivial to abuse this behavior. What, you might ask, can you do if you hack an RFID tag? Well as the technology is adopted more widely a thief could conceivably mark down the price of an expensive piece of jewelry before paying for it at an automated checkout counter, underage hackers could purchase alcohol or adult movies, and pranksters could simply reprogram the inventory of an entire store by just walking up and down the isles. 'The people who will be using this (shopkeepers) don't know much about technology,' Grunwald warned."

No Tech is safe

[KD5UZZ]

Can anyone point out a new technology that was 'safe' when it was first deployed? It seems that every new technology has some security defect, or some other flaw. This reminds me of DirectTV smart cards.

Re:No Tech is safe

[Lumpy]

It's simple. instead of using the expensive reprogrammable rfid tags you use the cheaper PROM rfid tags.

you set them once and they stay that way forever.

The story is nothing but high brow FUD.

not all RFID tags are the rewriteable type. most are the single write read many variety. and nothing is to stop a manufacturer like coke from ordering their rfid tags preprogrammed. not every can of coke needs a different tag. (just like hoe they dont have different barcodes on them.

Re:No Tech is safe

[Elecore]

Also, the self checkout lines double check your items by weight. So if you scan your steaks as onions, it's going to see that your steaks weigh a lot more than the onions should and notify the person on duty.

Its easy

[kunjan1029]

i dont think anyone could mark down stuff. because the price is not stored in the RFID itself. its a seperate database that matches with the product code. but yeah the thief might be able to change the product code to another cheap product. and thereby acheive the same thing

just my 0.02

Barcodes are unsafe too.

[JanMark]

When barcodes were introduced, retailers feared barcode swappers, because barcodes were not printed on partitioned labels, like those small price labels used to be (If you can remeber when all items were (manually) priced, you are getting old.) It turned out not to be to big a problem (now most barcodes are printed).

However, when you can automate something, that is an differend story. With tag swapping, you can play the percentage game, usually the number of individual swappers is small. With automated swapping (esp. wireless), one individual can swap everything. That is a true risk.

However like the step from label to printon bar code. There is only a small window of opportunity.
In the near future, we will see read-only tags, embedded during the production fase.

Using EAN and RFID to shop ethically

[zyche]

I have an idea that I've been thinking about for a while.

Some of us choose what to buy on the basis on how well-behaved the producing company is. Nothing new here. Some "bad" companies and their products are easy to indentify: I try to not buy anything from Nestle (breastmilk substitute in Africa), McDonalds (cutting down rainforests), and so on. As you can see from my reasons, they are probably a bit outdated as it can be hard to get good consumer information through the media noise.

Ok, heres the thing: most products these days have an EAN/UCC code. The number in that code includes an identifier for the selling company. What if the Internet community would create a database of companies and start setting grades on them with regards to product quality, environment concern, workforce treatment, and so on?

"But it would be too much of a hassle to query the database each time one buy cerials" you say. Sure, but consider two things:

• Most mobilephones today (and certainly more in the future) have a builtin camera. Use that to photograph the EAN code, run a picture recognition program (in the phone ofcourse) and either compare to a snapshot database in the phone or check the online database directly!
• You will quickly learn to avoid certain brands, and also educate people in your surrondings (friends, relative, etc).

How do RFID fit into this? Well, imagine a clock that vibrates when you are about to touch some ethically questionable item! :-D

RFIDs have been creating a lot of interest in the industry as it gives them better control over where items are, who buys them, if they return, etc. Now, if consumers could easily boycott a company due to bad quality or unethically behavior, the whole idea could backfire on them!

Not everyone can really write to tags

[happynut]

This case was already covered in the older RFID specs that used to appear at www.autoidcenter.org (they have since become viewable to membersonly when they handed standards off to www.epcglobalinc.org several months ago).

In order to write data to the tag you needed to know a 64bit number that was programmed into the tag. The standard didn't say how you set that number; that was policy reserved to the tag programmer. But in order to have a write command accepted, you needed to match the previously programmed number.

So if commercially deployed tags really are generally writeable it is more of an administration problem (like leaving telnet enabled on public facing servers) than a failure to consider the problem at all.

Why these people are fucked.

[syberanarchy]

Let's be honest, the biggest advocate of this stuff (walmart) isn't exactly the employer of rocket scientists. I have called them before at midnight, asking if they had Socom and the PS2 Net Adapter (when that was the "new thing.")

"Oh, yeah, we have it."

I get there, and it turned out they didn't have it. They had an AC Adapter.

A clerk who cannot tell the difference between something that lets you go on the internet and something that plugs into the electric socket will be easily fooled by the RFID swap. Even if someone DOES check your bag, do you think "Joe Walmart" is really going to be acute enough in his observation to recognize that you've got the high end ATI card, and not the 9600? Doubtful.

It'll be great to watch Wal-Mart reap the fruit of the seed they've sown - lost merchandise, lost profits, etc. And it's quite fitting that this really has nothing to do with RFID, but their unwillingness to go the extra mile to spend a few more bucks to get employees who know what they are doing.

RFID Tags

[butlerdi]

The tags do not generally contain data and for the most part are read only in the new systems. The tag only contains an identifier which is used to access the info just like a barcode. Changing the number to another at the checkout would still display the id of the product. You have a watch at the checkout and the till shows a tin of beans.... These systems are not that easy to hack in reality, at least no more so than barcodes. Most people do not change the price tags either out of honesty or fear of being caught. I doubt very much that jewelry stores will ever have self checkout lanes.

Re:W-O-R-M

[gd23ka]

This question deserves both: to be modded up and an answer.

First of all, there are no widely adopted international standards for RFID but there is work on ISO 18000, so it all depends on whether your reader/forger supports a given tag's vendor protocol.

The next problem is that RFID systems can operate at different frequencies, the most common ones are 125KHz - 148KHz, high at 13.56 MHz, UHF 850-915MHz and even at 2.45 GHz in the ISM band.

The tags that will be used in retail at automated checkout counters all have a scheme for preventing tag-collision that occurs when tags respond simultaneously to the reader. In order to hide a $800 digital cam-corder the following would have to happen:

You bring the forger into the store and operate it where it is not in view of the many security cameras staring at you

You research the store for a low price article that matches within tolerance what the cam-corder weighs. What that tolerance is,will be open to your own research. Setting the forger to lowest sensitivity / lowest transmit power you read the RFID data of the low-price article. Make double sure the data you read is from the low-price article and not from one of the thousands of tags surrounding you.

The low-price article may have individual identifying RFID data that must NOT be scanned at the checkout counter, not even after you and maybe your helper have left the store (Remember the security cameras, they could potentially match up your face at the automatic checkout with the article!). Also, again if the RFID data uniquely identifies the article another customer could take it to the automatic checkout and the system could mark the article as already sold in its database meaning you can't purchase it in lieu of the cam-corder. You must disable / destroy the low-price article's RFID tag either physically or with the forger.

You set the forger to the lowest sensitivy / lowest transmit power to read out the RFID data of the cam-corder. Make sure you get the right RFID data because you will be surrounded by tons of RFID tags. (BTW, it may be safer to read out the RFID data of the cam-corder you want one day and maybe have someone else get it the next day, but if you do that then make sure you mark the box some way that you or your helper takes the right cam-corder to the checkout. This may be because each cam-corder may have unique RFID data).

You take the cam-corder to the checkout and flip the forger into forge-mode. The forger monitors the radio communication at the reader forcing the transmission of the low-price article's RFID data utilizing the vendors tag-collision protocol to quiet the cam-corders tag. After transmitting the low-price article RFID data the forger jams the reader making the automatic checkout believe this is the only article being presented for purchase.

Complete the purchase with cash or with credit/debit cards not linked to you.