Comments on: RFID tags become hacker target

The tracking technology could be abused by tech-savvy shoplifters to mark expensive goods as cheaper items.

They're rewritable? Whose idea was that?

It never occurred to me that the RFID tags used for marking
goods would even have an erase capability... they're
replacing tags that are inhenetly hard to erase or modify,
they need to retain that characteristic: either writes would
have to be incremental (the protocol would allw you to
append information, but not change anything before the
'write mark'), or they'd have to use a physically permanent
write (eg, a fusible link PROM). Depending on security by
obscurity or the kind of crypto the cheap processors you
could put in a tag could handle... that's just inconceivable.

The people who design commercial security systems don't
seem NEARLY paranoid enough.

store RFID tags aren't rewriteable

This is FUD. The kind of RFIDs Grunwald talks about aren't those that will be used in stores. Stores will use the cheaper RFID variant that can't be rewritten and is more like a "serial number" for each label.

Grunwald says: "Store owners could have a database server that they program to track their goods using the unchangeable serial number on the RFID tag, however that adds a lot more complexity to the adoption of such technology,"

It seems he doesn't know what he is talking about, since that's the way they do it. Furthermore the store doesn't need to know the serial number for each single tag, since the beginning of each RFID-number identifies the product and only the last numbers are the serial number.

The thread of exchanging labels or creating your own is real, though minimal. It should be obvious that something is wrong when the expensive watch shows up as candy bar on the scanner. If RFIDs ever become the sole mean for determining how much you have to pay, tin-foil coated bags will be the way to go shoplifting.

[swwg69]

Not quite that dumb

Not the watch showing up as a candy bar,
But the $400 leather jacket shows up as a
$95 vinyl jacket.
Carry your replacement tags in,
nobody searches people coming into the store.

[swwg69]

It is easier than that.

Just carry an rfid tag from a product you already
bought into the store. It is easier to fool an
rfid reader than a UPC reader.
If the tags are set to truly unique,
then just swap one out on product in the store.
That will be faster than re-programming it.
Geez - thieves are lazy, think lazy.

Yes, I agree. This idea is horrible

To the author: you are an idiot.

[kfl49]

Why so much sci-fi?

I'm sure when engineers pour millions of dollars into RFID related research, they look into options like these in their scenarios and take precautions. I don't understand the whole paranoia around RFID, it's already being used in very serious military applications; I'm sure those require a lot more security than consumer apps.

[mardunba]

Nothing new here

Where is the big story about "hackers" printing out their own UPC labels containing numbers for a pack of bubble gum, slapping it on a new DVD player and heading to the checkout? It is much easier to print a UPC label on a $60 ink jet printer than hack an RFID tag and it doesn't seem to be a big problem for stores.

Same a the old days

Before UPC were used widly, you could just swap the price tag. Same with UPC, just swap a tag. As for RFID, since it is radio frequency, some products could have the tag inside the packaging, as to be tamper resistant. I don't see this being a show stoper for the technology.

[FoxFord]

Uninformed

As an electrical engineer, I'm rather annoyed at this article. It is clear that no research was done for this article. Correct me if I'm wrong, but EPCGlobal Standards (which Wal-Mart, Target, and most likely the rest will use) are read only, save the Kill bit. Now, if he had argued that havoc could be created by utilizing the kill bit, you would still have to know the password.