RFID is hailed by its fans as a tool that will revolutionize the supply chain by streamlining product tracking. Yet as Wal-Mart and other big retailers forge ahead on 2005 deadines for initial compliance, security risks are coming to light that could conceivably raise mayhem not just on retail shelves, but all the way back to warehouses, loading docks and vehicles in transit.
The current brouhaha over RFID began last week when Lukas Grunwald announced the creation of a software tool called RFDump. At the Black Hat Briefings, a security conference in Las Vegas, the German developer explained that his RFDump software makes it possible for a laptop or PDA user, armed with an RFID reader and power supply, to tamper with the EPC (Electronic Product Code) data stored in ISO 15693 RFID tags.
Grunwald spoke mostly about possible impacts on retail stores, but he also mentioned in passing that, at some point, somebody will probably place a root exploit on an RFID tag to hack all the way back into the supply chain.
I can foresee possible abuses that are the stuff of science fiction novels. I bet you can, too. If, as Grunwald predicted, a shopper might reprogram a bottle of shampoo as cream cheese in a retail store, think what fun pranksters (or competitors) might get out of reprogramming cartons, cases or pallets of shampoo in huge warehouses!
Crooks could get into the RFID act, too, adopting the supply chain as a platform for all kinds of daring, techno-abetted schemes and ruses.
Who knows? Terrorists might even try to haul truckloads of arms over U.S. borders, mislabeled on RFID tags as baseball bats or fishing rods.
Probably none of those misfortunes will ever ensue, but at the same time, some major retail and government customers are trying hard to push RFID adoption, and on very quick deployment schedules. Wal-Mart has mandated that its top 100 suppliers support RFID by January 2005, with smaller ones to follow in 2006 and 2007. Retailers Target and Albertsons have established spring 2005 as their deadlines for Phase One compliance.
The U.S. Deptartment of Defense has likewise set 2005 as the time for its suppliers to conform to RFID. Presumably, however, military suppliers will be using tamperproof tags.
Yet the RFID tags used by many retail stores will store data in unencrypted clear text, just dandy for easy reprogramming. Why? Its still quite costly to buy the type of RFID tags that have chips capable of crunching cryptographic keys.