Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

Access This Premium Content

Options To Access This Article:

What Subscribers Are Saying

  • "Probably the best investment I've ever made."
    Steve Meizlish, President & CEO, MeizCorp Services, Inc.
  • "I have found that RFID Journal provides an objective viewpoint of RFID. It you are looking for a resource that provides insights as to the application and implications of deploying RFID, RFID Journal will meet your needs, It gives you a broad perspective of RFID, beyond the retail supply chain."
    Mike O'Shea, Director of Corporate AutoID/RFID Strategies & Technologies, Kimberly-Clark Corp.
  • "No other source provides the consistent value-added insight that Mark Robert and his staff do. In a world dominated by press release after press release, RFID Journal is developing as the one place to go to make the most sense out of the present and future of RFID in commerce."
    Bob Hurley, Project Leader for RFID, Bayer HealthCare's Consumer Care Division
  • "RFID Journal is the one go-to source for information on the latest in RFID technology."
    Bruce Keim, Director, Hewlett-Packard
  • "RFID Journal is the only source I need to keep up to the minute with the happenings in the RFID world."
    Blair Hawley, VP of Supply Chain, Remington Products Company

An RFID Hack Job

Could hackers change prices on EPC tags in stores and even gain access to sensitive supply chain data?
By Bob Violino
Oct 01, 2004—As if senior executives at companies faced with RFID mandates from the likes of Metro, Tesco, Wal-Mart and the U.S. Department of Defense didn’t have enough to worry about, suddenly there was a new concern raised in late July: Hackers rewriting data on tags manufacturers put on products.

In an article entitled “A Hacker’s Guide To RFID,” Forbes magazine suggested that hackers armed with nothing more than a PDA equipped with an RFID reader could change the price of a $7 bottle of shampoo to $3 and pay through an automated checkout counter. The magazine quoted Lukas Grunwald, a German consultant, as saying not only would this be possible, but that he’d created a free software program called RFDump and used it to change data on tags used at the Metro Future Store in Germany. Grunwald announced the release of the software at the Black Hat Security Briefings conference in Las Vegas.

Forbes explained that tags being used on pallets and cases shipped to Wal-Mart today have no pricing information and that Metro didn’t have strong security in place because it is simply running a pilot. But that didn’t stop many publications from picking up the story and running wild with it.

“Security Shocker: RFID Data Can Be Hacked” screamed a headline from CXO Today, an India-based Web site aimed at CIOs, CTOs and other senior IT managers. Wireless NewsFactor, a Web site for executives deploying wireless technologies, asked: “RFID: The Next Security Nightmare?” FoodNavigator, a British Web site aimed at the food industry, declared: “Report Exposes Potential RFID Weaknesses.”

Many stories, including one on the technology news site CNet, tied the hacking news to the unrelated issue of consumer privacy. A CNet story entitled “RFID Tags Become Hacker Target,” had this to say: “Low-cost RFID tags—many of which are smaller than a nickel and cost less too—are already being added to packaging by retailers to keep track of inventory, but could be abused by hackers and tech-savvy shoplifters, said Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH. While the technology mostly threatens consumer privacy, it could allow thieves to fool merchants by changing the identity of goods, he said.”

Most of the stories focused on the ability of consumers to change prices stored on RFID tags. But in a story entitled “RFID Hack Could Allow Retail Fraud,” eWeek, a leading trade publication, raised the possibility of entire supply chains being under threat. It quoted Grunwald as saying: “It is only a matter of time before someone puts a root exploit on one of these tags and hacks into your supply chain.”

A root exploit is a kind of back door that gives ordinary users “root,” or core directory, privileges. Meaning, that some hacker might conceivably write something on an RFID tag that would enable him to get information about all the goods in a company’s supply chain. Sounds scary, but the entire hullabaloo over Grunwald’s RFDump program was based on ignorance about how RFID will be deployed in supply chains and eventually in stores.

When RFID tags are eventually placed on individual items in stores, companies will almost certainly use low-cost, read-only tags. These tags will communicate with any reader. But you won’t be able to change the data on them. Even if companies choose to use one-time programmable tags, the tags will still contain only a serial number. Pricing and other information will be stored in a secure database. Only those with access to the database will be able to change the price of an item.

There will be times where companies will want to secure information on read-write tags. Current EPC specifications for read-write tags have only 256 possible lock codes. A hacker could program a reader to send all 256 possible codes to a tag and then either read the data on a tag or instruct the tag to permanently deactivate itself (this is called the “kill command”). But there are solutions to this problem. One way to protect data on the tags is to put it to sleep for a certain period if the wrong lock code has been sent. That way, it might take a hacker hours to run through the 256 different lock codes. As the cost of RFID tags comes down, it will also be possible to produce more sophisticated tags that support longer lock codes or even encryption, for less than what today’s simple tags cost.

What was overlooked in all the stories about RFDump was that EPC technology is far more secure than the bar code system in use today. Anyone with a laser printer can scan the bar code on a low-cost item, print out copies on a laser printer, stick them on higher-priced products at their supermarket and use a self-checkout system to get away with paying less.

With the EPC system, even if a hacker could rewrite a bogus EPC to a tag, software could check if the serial number of that product was received in the store or already sold. Software could even check if a duplicate EPC exists anywhere in the world. If it does, an alert could be sent to a manager to investigate whether someone was fraudulently changing or cloning data on tags.
To continue reading this article, please log in or choose a purchase option.

Option 1: Become a Premium Member.

One-year subscription, unlimited access to Premium Content: $189

Gain access to all of our premium content and receive 10% off RFID Reports and RFID Events!

Option 2: Purchase access to this specific article.

This article contains 873 words and 1 page. Purchase Price: $19.99

Upgrade now, and you'll get immediate access to:

  • Case Studies

    Our in-dept case-study articles show you, step by step, how early adopters assessed the business case for an application, piloted it and rolled out the technology.

    Free Sample: How Cognizant Cut Costs by Deploying RFID to Track IT Assets

  • Best Practices

    The best way to avoid pitfalls is to know what best practices early adopters have already established. Our best practices have helped hundreds of companies do just that.

  • How-To Articles

    Don’t waste time trying to figure out how to RFID-enable a forklift, or deciding whether to use fixed or mobile readers. Our how-to articles provide practical advice and reliable answers to many implementation questions.

  • Features

    These informative articles focus on adoption issues, standards and other important trends in the RFID industry.

    Free Sample: Europe Is Rolling Out RFID

  • Magazine Articles

    All RFID Journal Premium Subscribers receive our bimonthly RFID Journal print magazine at no extra cost, and also have access to the complete online archive of magazine articles from past years.

Become a member today!

RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations