An RFID Hack Job

By Bob Violino

Could hackers change prices on EPC tags in stores and even gain access to sensitive supply chain data?

  • TAGS

As if senior executives at companies faced with RFID mandates from the likes of Metro, Tesco, Wal-Mart and the U.S. Department of Defense didn’t have enough to worry about, suddenly there was a new concern raised in late July: Hackers rewriting data on tags manufacturers put on products.

In an article entitled “A Hacker’s Guide To RFID,” Forbes magazine suggested that hackers armed with nothing more than a PDA equipped with an RFID reader could change the price of a $7 bottle of shampoo to $3 and pay through an automated checkout counter. The magazine quoted Lukas Grunwald, a German consultant, as saying not only would this be possible, but that he’d created a free software program called RFDump and used it to change data on tags used at the Metro Future Store in Germany. Grunwald announced the release of the software at the Black Hat Security Briefings conference in Las Vegas.

Forbes explained that tags being used on pallets and cases shipped to Wal-Mart today have no pricing information and that Metro didn’t have strong security in place because it is simply running a pilot. But that didn’t stop many publications from picking up the story and running wild with it.

“Security Shocker: RFID Data Can Be Hacked” screamed a headline from CXO Today, an India-based Web site aimed at CIOs, CTOs and other senior IT managers. Wireless NewsFactor, a Web site for executives deploying wireless technologies, asked: “RFID: The Next Security Nightmare?” FoodNavigator, a British Web site aimed at the food industry, declared: “Report Exposes Potential RFID Weaknesses.”

Many stories, including one on the technology news site CNet, tied the hacking news to the unrelated issue of consumer privacy. A CNet story entitled “RFID Tags Become Hacker Target,” had this to say: “Low-cost RFID tags—many of which are smaller than a nickel and cost less too—are already being added to packaging by retailers to keep track of inventory, but could be abused by hackers and tech-savvy shoplifters, said Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH. While the technology mostly threatens consumer privacy, it could allow thieves to fool merchants by changing the identity of goods, he said.”

Most of the stories focused on the ability of consumers to change prices stored on RFID tags. But in a story entitled “RFID Hack Could Allow Retail Fraud,” eWeek, a leading trade publication, raised the possibility of entire supply chains being under threat. It quoted Grunwald as saying: “It is only a matter of time before someone puts a root exploit on one of these tags and hacks into your supply chain.”

A root exploit is a kind of back door that gives ordinary users “root,” or core directory, privileges. Meaning, that some hacker might conceivably write something on an RFID tag that would enable him to get information about all the goods in a company’s supply chain. Sounds scary, but the entire hullabaloo over Grunwald’s RFDump program was based on ignorance about how RFID will be deployed in supply chains and eventually in stores.

When RFID tags are eventually placed on individual items in stores, companies will almost certainly use low-cost, read-only tags. These tags will communicate with any reader. But you won’t be able to change the data on them. Even if companies choose to use one-time programmable tags, the tags will still contain only a serial number. Pricing and other information will be stored in a secure database. Only those with access to the database will be able to change the price of an item.

There will be times where companies will want to secure information on read-write tags. Current EPC specifications for read-write tags have only 256 possible lock codes. A hacker could program a reader to send all 256 possible codes to a tag and then either read the data on a tag or instruct the tag to permanently deactivate itself (this is called the “kill command”). But there are solutions to this problem. One way to protect data on the tags is to put it to sleep for a certain period if the wrong lock code has been sent. That way, it might take a hacker hours to run through the 256 different lock codes. As the cost of RFID tags comes down, it will also be possible to produce more sophisticated tags that support longer lock codes or even encryption, for less than what today’s simple tags cost.

What was overlooked in all the stories about RFDump was that EPC technology is far more secure than the bar code system in use today. Anyone with a laser printer can scan the bar code on a low-cost item, print out copies on a laser printer, stick them on higher-priced products at their supermarket and use a self-checkout system to get away with paying less.

With the EPC system, even if a hacker could rewrite a bogus EPC to a tag, software could check if the serial number of that product was received in the store or already sold. Software could even check if a duplicate EPC exists anywhere in the world. If it does, an alert could be sent to a manager to investigate whether someone was fraudulently changing or cloning data on tags.