An RFID Hack Job
Could hackers change prices on EPC tags in stores and even gain access to sensitive supply chain data?
Oct. 1, 2004—As if senior executives at companies faced with RFID mandates from the likes of Metro, Tesco, Wal-Mart and the U.S. Department of Defense didn’t have enough to worry about, suddenly there was a new concern raised in late July: Hackers rewriting data on tags manufacturers put on products.
In an article entitled “A Hacker’s Guide To RFID,” Forbes magazine suggested that hackers armed with nothing more than a PDA equipped with an RFID reader could change the price of a $7 bottle of shampoo to $3 and pay through an automated checkout counter. The magazine quoted Lukas Grunwald, a German consultant, as saying not only would this be possible, but that he’d created a free software program called RFDump and used it to change data on tags used at the Metro Future Store in Germany. Grunwald announced the release of the software at the Black Hat Security Briefings conference in Las Vegas.
Forbes explained that tags being used on pallets and cases shipped to Wal-Mart today have no pricing information and that Metro didn’t have strong security in place because it is simply running a pilot. But that didn’t stop many publications from picking up the story and running wild with it.
“Security Shocker: RFID Data Can Be Hacked” screamed a headline from CXO Today, an India-based Web site aimed at CIOs, CTOs and other senior IT managers. Wireless NewsFactor, a Web site for executives deploying wireless technologies, asked: “RFID: The Next Security Nightmare?” FoodNavigator, a British Web site aimed at the food industry, declared: “Report Exposes Potential RFID Weaknesses.”
Many stories, including one on the technology news site CNet, tied the hacking news to the unrelated issue of consumer privacy. A CNet story entitled “RFID Tags Become Hacker Target,” had this to say: “Low-cost RFID tags—many of which are smaller than a nickel and cost less too—are already being added to packaging by retailers to keep track of inventory, but could be abused by hackers and tech-savvy shoplifters, said Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH. While the technology mostly threatens consumer privacy, it could allow thieves to fool merchants by changing the identity of goods, he said.”
|
In an article entitled “A Hacker’s Guide To RFID,” Forbes magazine suggested that hackers armed with nothing more than a PDA equipped with an RFID reader could change the price of a $7 bottle of shampoo to $3 and pay through an automated checkout counter. The magazine quoted Lukas Grunwald, a German consultant, as saying not only would this be possible, but that he’d created a free software program called RFDump and used it to change data on tags used at the Metro Future Store in Germany. Grunwald announced the release of the software at the Black Hat Security Briefings conference in Las Vegas.
Forbes explained that tags being used on pallets and cases shipped to Wal-Mart today have no pricing information and that Metro didn’t have strong security in place because it is simply running a pilot. But that didn’t stop many publications from picking up the story and running wild with it.
“Security Shocker: RFID Data Can Be Hacked” screamed a headline from CXO Today, an India-based Web site aimed at CIOs, CTOs and other senior IT managers. Wireless NewsFactor, a Web site for executives deploying wireless technologies, asked: “RFID: The Next Security Nightmare?” FoodNavigator, a British Web site aimed at the food industry, declared: “Report Exposes Potential RFID Weaknesses.”
Many stories, including one on the technology news site CNet, tied the hacking news to the unrelated issue of consumer privacy. A CNet story entitled “RFID Tags Become Hacker Target,” had this to say: “Low-cost RFID tags—many of which are smaller than a nickel and cost less too—are already being added to packaging by retailers to keep track of inventory, but could be abused by hackers and tech-savvy shoplifters, said Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH. While the technology mostly threatens consumer privacy, it could allow thieves to fool merchants by changing the identity of goods, he said.”
To continue reading this article, please log in or choose a purchase option.
Option 1: Become a Premium Member.
| One-year subscription, unlimited access to Premium Content: $189 |
Option 2: Purchase this article.
| Pages: 1 | Word Count: 891 | Purchase Price: $19.99 |
