Low-cost RFID tags -- many which are smaller than a nickel and cost less too -- are already being added to packaging by retailers to keep track of inventory but could be abused by hackers and tech-savvy shoplifters, said Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH. While the technology mostly threatens consumer privacy, the new technology could allow thieves to fool merchants by changing the identity of goods, he said.
"This is a huge risk for companies," Grunwald said during a discussion at the Black Hat Security Briefings. "It opens a whole new area for shoplifting as well as chaos attacks."
While expensive RFID reader hardware and hard-to-use software have hindered security research in the area, Grunwald said that's no longer a hurdle. The security expert announced during the session a new software tool that he helped create that can be used to read and reprogram radio tags.
When such tools become widely available, hackers and those with less pure motives could use a handheld device and the software to mark expensive goods as cheaper items and walk out through self checkout. Underage hackers could attempt to bypass age restrictions on alcoholic drinks and adult movies, and pranksters could create confusion by randomly swapping tags, requiring that a store do manual inventory.
Grunwald's software program, RFDump, makes rewriting RFIDs easy. While there are significant malicious uses of the program, consumers could also use it to protect themselves, he said.
"Everyone should have the right, once they leave the store, to erase the RFID tags," he said. Deleting information on the tags would allow people to stop RFID checkpoints in stores and other places from tracking which products they are carrying, or read tags that have been inserted under their skin.
Solving the business security issues may not be easy. While encryption could be used to hide data from unauthorised snoopers, not many RFID chips can handle the more-involved task of crunching cryptographic keys. Moreover, the RFID tags that can handle those tasks are among the most expensive on the market and not something you would stick on a cream cheese box at the grocery store, Grunwald said.
Store owners could have a database server that they program to track their goods using the unchangeable serial number on the RFID tag but that adds a lot more complexity to the adoption of such technology, Grunwald added.
"The people who will be using this (shopkeepers) don't know much about technology," he said.
Talkback
This is pathetic. First of all they tell you that us that RFID ushers in a new era in security and now, obviously because they haven't done their job properly, they're telling us that it could actually not be secure and could cause total chaos.
Why didn't they make the tags read-only after they are originally programmed?
If the cost of the tags are as insignificant as we are being told, it wouldn't be a problem to replace the tag with one that is up-to-date.
Or, as critics have been asking, is this more about tracking people than security?
There is nothing new in this at all. No increased risk of fraud either. Note the use of the word "increased".
People have for years been replacing barciodes on expensive products with stickers containing barcodes from cheaper, or smaller variants, of the product.
then for the time being rf-id will just have to be used for internatl use, and not for the consumer. Just as a tracking medium.
Its harder to rip barcodes and prices off, they tear and some have the items name on them, also if a particular item is normaly expensive a tiller could tell, i know. Unless its self serve.
what about wrapping them in tin foil, i heard that can block the frequency, thus the item does not exist.