RFID tags become hacker target

LAS VEGAS--Privacy advocates may not be the only people taking issue with the current crop of radio-frequency identification tags--merchants will likely have problems with a lack of security as well, a German technology consultant said Wednesday.

Low-cost RFID tags--many of which are smaller than a nickel and cost less too--are already being added to packaging by retailers to keep track of inventory, but could be abused by hackers and tech-savvy shoplifters, said Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH. While the technology mostly threatens consumer privacy, the it could allow thieves to fool merchants by changing the identity of goods, he said.

"This is a huge risk for companies," Grunwald said during a discussion at the Black Hat Security Briefings here. "It opens a whole new area for shoplifting as well as chaos attacks."

While expensive RFID reader hardware and hard-to-use software have hindered security research in the area, Grunwald said that's no longer a hurdle. The security expert announced during the session a new software tool he helped create that can be used to read and reprogram radio tags.

When such tools become widely available, hackers and those with less pure motives could use a handheld device and the software to mark expensive goods as cheaper items and walk out through self checkout. Underage hackers could attempt to bypass age restrictions on alcoholic drinks and adult movies, and pranksters could create confusion by randomly swapping tags, requiring that a store do manual inventory.

Grunwald's software program, RFDump, makes rewriting RFIDs easy. While there are significant malicious uses of the program, consumers could also use it to protect themselves, he said.

"Everyone should have the right, once they leave the store, to erase the RFID tags," he said. Deleting information on the tags would allow people to stop RFID checkpoints in stores and other places from tracking which products they are carrying, or which have been inserted under their skin.

Solving the business security issues may not be easy. While encryption could be used to hide data from unauthorized snoopers, not many RFID chips can handle the more-involved task of crunching cryptographic keys. Moreover, the RFID tags that can handle those tasks are among the most expensive on the market and not something you would stick on a cream cheese box at the grocery store, Grunwald said.

Store owners could have a database server that they program to track their goods using the unchangeable serial number on the RFID tag, however that adds a lot more complexity to the adoption of such technology, Grunwald added.

"The people who will be using this (shopkeepers) don't know much about technology," he said.

They're rewritable? Whose idea was that?

It never occurred to me that the RFID tags used for marking
goods would even have an erase capability... they're
replacing tags that are inhenetly hard to erase or modify,
they need to retain that characteristic: either writes would
have to be incremental (the protocol would allw you to
append information, but not change anything before the
'write mark'), or they'd have to use a physically permanent
write (eg, a fusible link PROM). Depending on security by
obscurity or the kind of crypto the cheap processors you
could put in a tag could handle... that's just inconceivable.

The people who design commercial security systems don't
seem NEARLY paranoid enough.

store RFID tags aren't rewriteable

This is FUD. The kind of RFIDs Grunwald talks about aren't those that will be used in stores. Stores will use the cheaper RFID variant that can't be rewritten and is more like a "serial number" for each label.

Grunwald says: "Store owners could have a database server that they program to track their goods using the unchangeable serial number on the RFID tag, however that adds a lot more complexity to the adoption of such technology,"

It seems he doesn't know what he is talking about, since that's the way they do it. Furthermore the store doesn't need to know the serial number for each single tag, since the beginning of each RFID-number identifies the product and only the last numbers are the serial number.

The thread of exchanging labels or creating your own is real, though minimal. It should be obvious that something is wrong when the expensive watch shows up as candy bar on the scanner. If RFIDs ever become the sole mean for determining how much you have to pay, tin-foil coated bags will be the way to go shoplifting.

[swwg69]

Not quite that dumb

Not the watch showing up as a candy bar,
But the $400 leather jacket shows up as a
$95 vinyl jacket.
Carry your replacement tags in,
nobody searches people coming into the store.

[swwg69]

It is easier than that.

Just carry an rfid tag from a product you already
bought into the store. It is easier to fool an
rfid reader than a UPC reader.
If the tags are set to truly unique,
then just swap one out on product in the store.
That will be faster than re-programming it.
Geez - thieves are lazy, think lazy.

Yes, I agree. This idea is horrible

To the author: you are an idiot.

[kfl49]

Why so much sci-fi?

I'm sure when engineers pour millions of dollars into RFID related research, they look into options like these in their scenarios and take precautions. I don't understand the whole paranoia around RFID, it's already being used in very serious military applications; I'm sure those require a lot more security than consumer apps.

[mardunba]

Nothing new here

Where is the big story about "hackers" printing out their own UPC labels containing numbers for a pack of bubble gum, slapping it on a new DVD player and heading to the checkout? It is much easier to print a UPC label on a $60 ink jet printer than hack an RFID tag and it doesn't seem to be a big problem for stores.

Same a the old days

Before UPC were used widly, you could just swap the price tag. Same with UPC, just swap a tag. As for RFID, since it is radio frequency, some products could have the tag inside the packaging, as to be tamper resistant. I don't see this being a show stoper for the technology.

[FoxFord]

Uninformed

As an electrical engineer, I'm rather annoyed at this article. It is clear that no research was done for this article. Correct me if I'm wrong, but EPCGlobal Standards (which Wal-Mart, Target, and most likely the rest will use) are read only, save the Kill bit. Now, if he had argued that havoc could be created by utilizing the kill bit, you would still have to know the password.

[m1k3y3]

One could attempt to brute force it depending on the password's length