Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Mobile

    RFID Hack Could Allow Retail Fraud

    By
    Mark Hachman
    -
    July 29, 2004
    Share
    Facebook
    Twitter
    Linkedin

      LAS VEGAS—A German consultant has released a tool that its creator says will allow modifications of the code stored within RFID tags, theoretically allowing consumers to wreak havoc in future retail deployments.

      The RFDump software allows a user equipped with an RFID reader, a laptop or PDA, and a power supply to rewrite the data stored in ISO 15693 tags, the most common tags used to host the EPC (Electronic Product Code) information traditionally stored in bar codes.

      /zimages/3/28571.gifClick here to read about eWEEK Labs analysis of RFID.

      Although each RFID tag carries with it a unique product ID, the EPC is stored in the “user area” portion of the chip, which allows it to be rewritten. That poses problems to both consumers and retailers, RFDumps author, Lukas Grunwald, a senior consultant with Hildesheim, Germany-based DN-Systems Enterprise Solutions GmbH, said: On one hand, consumers could defraud a retailer by reprogramming a premium item as a cheap commodity. On the other hand, consumers would have to worry about the items in their shopping carts being read by “Big Brother,” or at least the many retailers in a shopping mall.

      The tool was released as part of a talk at the Black Hat Briefings here, dedicated to IT security.

      /zimages/3/28571.gifClick here to read about Congress RFID concerns.

      And theres an even worse scenario: “It is only a matter of time before someone puts a root exploit on one of these tags and hacks into your supply chain,” Grunwald said.

      RFID tags have been seen as a revolutionary device by retailers, manufacturers and the military. Theoretically, a pallet or product with an embedded RFID tag can be tracked more accurately, resulting in a more efficient inventory-management system that could be used to quickly replace umbrellas, for example, that sold out during a rainstorm. Gap Inc. and Italys Benetton already use the tags in their stores.

      In Europe, the Gillette Co. has used RFID tags inside packages of razor blades to minimize theft, Grunwald said. And Wal-Mart Stores, the worlds largest company, and the U.S. Department of Defense have separate programs to rework their supply chains around RFID tags by next year. By 2007, all manufacturers, retailers, drug stores, hospitals and smaller retails will use the tags, according to Robin Koh, a member of the Auto-ID Labs industry consortium. Already, RFID tags are popping up inside consumer loyalty cards.

      The assumption is that the military will have the budget to buy tamperproof tags. But not so for retailers and manufacturers, who will likely try to scrimp, Grunwald said. The most common EPC tags store the item information in cleartext inside the tag, and allow rewriting of the data. Each tag sits idle until powered on by the RF energy emitted from the gate, and can then be read.

      Next Page: Tool facilitates criminal mischief.

      Page 2


      Using the RFDump tool, a shopper could covertly rewrite the tag inside the store, creating all sorts of criminal mischief. The shopper could reprogram a bottle of shampoo as cream cheese, or rewrite a pornographic DVD as childrens entertainment, Grunwald said.

      The trick only works if a shop has implemented automatic checkout, or at least one that doesnt encourage human intervention. Some retailers use a video camera to double-check items, according to a Defense Department IT employee attending the convention. Germanys METRO Group has already deployed an RFID-equipped store in Rheinburg, Germany, complete with self-checkout kiosks.

      /zimages/3/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

      A second system at the store exit checks to see if the user has paid for all of his items, then supposedly writes 0s in the user ID field, erasing the tag for privacy purposes. Alarms will sound if a shopper attempts to sneak away. One way to exasperate store owners, Grunwald said, is to buy an individual tag, program it with item data, then slip the tiny tag near the gate. After 5 minutes of shrieking sirens, the gate will be turned off, he said.

      However, the tags require the RF energy to function. Wrapping a tag in aluminum foil blocks the radio waves and prevents a tag from being identified. Security firm RSA Security has also released a so-called “blocker tag” to prevent a shoppers privacy. But RFDump can still access and attack the stored information, Grunwald said.

      /zimages/3/28571.gifeWEEK.coms Lisa Vaas offers tips for getting ready for RFID.

      As a proof of concept, Grunwald also added a “cookie” function to RFDump that allows a store to track the number of times a shopper enters or picks up an item. An audience member pointed out that that had serious implications for personal privacy. “You are exactly correct,” Grunwald said. “It is a very scary thing.”

      /zimages/3/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

      /zimages/3/77042.gif

      Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page

      Avatar
      Mark Hachman

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×