Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security

RFID More Hackable Than Retailers Think? 411

Iphtashu Fitz writes "Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH, is warning retailers that the RFID technology that they are quickly adopting can easily be hacked with the appropriate tools. Grunwald has written a program called RFDump which lets you read and display all metadata within an RFID tag and also modify the user data using a text or hex editor. He wrote this program to demonstrate how consumers can protect themselves by wiping out RFID data after purchasing a product but he acknowledges that it would be trivial to abuse this behavior. What, you might ask, can you do if you hack an RFID tag? Well as the technology is adopted more widely a thief could conceivably mark down the price of an expensive piece of jewelry before paying for it at an automated checkout counter, underage hackers could purchase alcohol or adult movies, and pranksters could simply reprogram the inventory of an entire store by just walking up and down the isles. 'The people who will be using this (shopkeepers) don't know much about technology,' Grunwald warned."
This discussion has been archived. No new comments can be posted.

RFID More Hackable Than Retailers Think?

Comments Filter:
  • No Tech is safe (Score:5, Insightful)

    by KD5UZZ ( 726534 ) <slashdot.20.kd5uzzNO@SPAMspamgourmet.com> on Thursday July 29, 2004 @03:38AM (#9829419) Homepage
    Can anyone point out a new technology that was 'safe' when it was first deployed? It seems that every new technology has some security defect, or some other flaw. This reminds me of DirectTV smart cards.
    • Re:No Tech is safe (Score:4, Insightful)

      by Chexum ( 1498 ) on Thursday July 29, 2004 @03:46AM (#9829456) Homepage
      Of course, but umm, what prevents me now relabeling the bar codes in a store? And it's not that high tech either..
      • I don't know, maybe security cameras?
        With RFID, it's likely possible to do all this without ever displaying any out-of-the-ordinary behavior. If you've got the re-pricer in your pocket, just getting near the item would be enough to rebrand it, while simultaneously rebranding items you happen to walk close to. Of course, people will probably start looking at things funny when the stores oversells all their $5 DVDs while having enormous shrinkage on new releases....
      • Re:No Tech is safe (Score:5, Interesting)

        by Sique ( 173459 ) on Thursday July 29, 2004 @04:01AM (#9829522) Homepage
        The fact, that relabelled barcodes are quite good to spot even for an untrained eye.

        Reprogrammed RFID-Chips are not to spot without the proper equipment. And if you use the self checkout lane, there is no one to spot anything except the machine which is programmed to look solely at the RFID chips.

        A way to prevent some misuses would be to ask the customer to scan at least the bar code too, so the check out machine can do a match between the RFID information and the bar code information. But THEN your argument holds true that the fraudulent customer could also relabel the good before going to the check out. A label scanner is not able to difference between a printed on bar code and a bar code that got stuck on by someone.
        • Re:No Tech is safe (Score:5, Informative)

          by Lumpy ( 12016 ) on Thursday July 29, 2004 @05:37AM (#9829803) Homepage
          It's simple. instead of using the expensive reprogrammable rfid tags you use the cheaper PROM rfid tags.

          you set them once and they stay that way forever.

          The story is nothing but high brow FUD.

          not all RFID tags are the rewriteable type. most are the single write read many variety. and nothing is to stop a manufacturer like coke from ordering their rfid tags preprogrammed. not every can of coke needs a different tag. (just like hoe they dont have different barcodes on them.
          • Re:No Tech is safe (Score:5, Insightful)

            by Muad'Dave ( 255648 ) on Thursday July 29, 2004 @06:12AM (#9829928) Homepage

            ...not every can of coke needs a different tag.

            It depends on what you're trying to accomplish. If you're attempting to take inventory by using RFID tags, having a product ID and serial number in the tag is a good thing. You can wave the reader around a shelf and know how many cans of Coke you have in six packs, 12 packs, 20 oz, etc (each different form factor would have a unique product ID).

            Similarly, a drink machine could contain a reader coil around the inside of the refrigerated box that could poll the contents of the machine and set prices accordingly (today I have 20oz Coke bottles - they're $1. The Red Bulls are $2, etc). The machine could also 'call home' when a particular item runs low. There are lots of reasons to have unique IDs on otherwise identical products.

            • by cnelzie ( 451984 )
              The inside of soda machines are all segregated columns filled with the various sugar drinks. Each column contains a seperated type of drink, although a few columns could contain the same drink, that's just an matter of local preferences.

              Since each column is limited to one type of drink the machine can easy test how many of each brand are left and notify 'home' that they are running low. Which won't necesarily mean it will be filled quicker, it just means they know exactly what to bring to the machine.
              • There is no reason to put an FRID into the cans going into Drink Machines. They serve no purpose that isn't already covered by tried and true technology.

                You forget, sir, that the RFID companies would like to make money. Therefore, logical arguments such as yours are thrown out for "LOOK HOW MUCH EASIER IT IS WITH RFID!"
              • There is no reason to put an FRID into the cans going into Drink Machines. They serve no purpose that isn't already covered by tried and true technology.

                They can serve some new purposes, allowing future drink machines to be designed differently.

                RFID-enabled machines can have smaller granularity of product choices. Suppose machines hold 320 drinks. If it's split into 8 columns, you can only put 8 different things in there, limiting marketing opportunities. (Can't have 5 kinds of expensive, rarely purc
            • Re:No Tech is safe (Score:2, Insightful)

              by Lumpy ( 12016 )
              no no no...

              the 16oz cans all need the same RFid tag exactly how they do it right now with barcodes.

              then have different rfid tag's for the case package.

              Stores then can see that johnny-public bought a item that has a Case identifier tag and 12 can identifiers... making one complete case of coke.

              serializing is still simple and is part of the manufacturing process in most chips anyways.
          • Re:No Tech is safe (Score:5, Insightful)

            by dnoyeb ( 547705 ) on Thursday July 29, 2004 @06:44AM (#9830021) Homepage Journal
            Yes rubbish.

            Its a TAG which contains METAdata, not data.

            It does not contain item prices or consumer behavior. Its an ID for crying out loud. the actual ID number is fixed and not changeable. Plus most have a crypto mode, which can be locked on permanantly. Once locked, the data can still be changed, but you need the special key and whatnot, which means you need to break the encryption. Its not trivial.

            The space on the tag is used for identification purposes ONLY. The tracking is done by a database elsewhere.

            We be tagging whales and wild animals for years, but you dont put the info in the tag, you put it in a database, duh.
            • Once locked, the data can still be changed, but you need the special key and whatnot, which means you need to break the encryption. Its not trivial.

              You obviously have never heard of DeCSS...:) It would be trivial to crack the key if look to previous commercial encryption systems.
        • Audits (Score:3, Interesting)

          by mfh ( 56 )
          You might think self check-outs are easy to fool, but the fact is when they do an audit on the day, and realize that you've walked out with a load of stuff you didn't pay for, security is going to grab frames of you in the self-checkout and you'll be caught if you do it more than once. Sure if someone accidentally gets a deal on something once, they won't ban you from a store, but if your whole shopping spree is from a hacked slew of RFIDs, you'll find your picture on the wall of the security office and the
          • Re:Audits (Score:3, Insightful)

            by mengel ( 13619 )
            That only works if someone does just one item.

            If you remap every item in the store, everything everyone buys on that day will be wrong. Narrowing it down to the Black Hat who did it is hard.

            If you swap ID's between components, the inventory (which they also take with RFID's, of course) comes out right, and the problem shows up when a pack of gum has the RFID of a $50 item...

      • Of course, but umm, what prevents me now relabeling the bar codes in a store? And it's not that high tech either..

        It's a tricky process to do surreptitiously. You have to align a label correctly over the barcode of the product and flatten it down so that it can be scanned properly.

        Reprogramming an RFID tag could be done using hidden equipment while merely holding the item in front of you. You could do it right in front of a security camera and not be noticed.
      • The solution: (Score:5, Insightful)

        by nahdude812 ( 88157 ) on Thursday July 29, 2004 @06:13AM (#9829933) Homepage
        Legislation.

        We'll just release poorly thought out technology that promises things older tech's can't deliver, but make sure not to put in the press releases that mayhem can ensue from its use. Then when someone discovers this, we'll just see to it that it's illegal to own equipment capable of performing these operations (despite their otherwise legitimate uses), and so we have protected our customers by giving them a false sense of security while sacrificing another tiny bit of essential liberty.
      • Re:No Tech is safe (Score:3, Insightful)

        by whorfin ( 686885 )
        This kind of relabeling was happening before there were barcodes or scanners of any kind in common use. When I was in high school, and working in a grocery, some unscrupulous customer had pilfered one of the pricing sticker guns while the stock clerk wasn't looking. They apparently used it to reprice some stuff cheaper, but when the cashier noticed that some expensive stuff rang up way too cheap...busted!

        There was also the case of a cashier who rang up expensive meats for her friends at a fraction of the s
    • Barcodes (Score:2, Funny)

      by xixax ( 44677 )
      How is this any different from sticking your own barcodes on products? At my local store, the video screen flashes a picture of every product scanned, so that even the most bored, drug addled check-out chick will notice.

      Reminds me of my plan to stick condom barcodes on boxes of oatmeal.

      Xix.
  • Reprogramming (Score:5, Insightful)

    by Amiga Lover ( 708890 ) on Thursday July 29, 2004 @03:39AM (#9829425)
    and pranksters could simply reprogram the inventory of an entire store by just walking up and down the isles

    What quicker way to make life insanely difficult for a retailer who forces the use of these things upon customers.

    How much would it cost to re-manualise their systems if they keep on just losing track of the info in their RFID tags. Hw many would even bother after the 2nd time.

    Looks good
    • Re:Reprogramming (Score:3, Insightful)

      by dmayle ( 200765 )
      Sorry to say, but this is where the Patriot Act will come into play. You'll be marked as a "domestic terrorist" (basically anyone violating federal law) in no time, and then it's Go Directly To Jail, Do Not Pass Go, Do Not Collect $200.
    • The RFID is used to keep track of inventory. Just what does that impose on the customer? Please be specific.

  • Its easy (Score:5, Insightful)

    by kunjan1029 ( 447713 ) <email@slashdot.kunjan@net> on Thursday July 29, 2004 @03:40AM (#9829430) Homepage
    i dont think anyone could mark down stuff. because the price is not stored in the RFID itself. its a seperate database that matches with the product code. but yeah the thief might be able to change the product code to another cheap product. and thereby acheive the same thing

    just my 0.02
    • if I wanted to do just what you described, it would be pretty simple. So yes, that is what we would do

      http://example.com/ [example.com]
    • Re:Its easy (Score:5, Insightful)

      by rokzy ( 687636 ) on Thursday July 29, 2004 @04:03AM (#9829524)
      no, that is NOT the same thing.

      if the description doesn't fit the checkout assistant won't allow the sale.

      if you use an automated checkout, then why bother even changing it? you won't have the correct item on your receipt so no proof of purchase if stopped by security.

      all it would allow is you to claim someone else did it if you get caught. but if you have the RFID writer on you that won't work. you'll have to get rid of it but with security cameras everywhere that won't necessarily work.
      • Re:Its easy (Score:5, Insightful)

        by Asic Eng ( 193332 ) on Thursday July 29, 2004 @04:12AM (#9829559)
        all it would allow is you to claim someone else did it if you get caught. but if you have the RFID writer on you that won't work.

        So you have an accomplice do the remarking, he walks out after purchasing a chocolate bar, then it's your turn with the expensive stuff. Or you just go into the store twice, once with the RFID writer, and once to collect the stuff.


      • if the description doesn't fit the checkout assistant won't allow the sale.

        When was the last time you were in a large dept. store?

        The mindless zombies that work at the checkout barely even look at the register while they ring up the items. And even if they did, how trivial would it be to swap a no-name brand model for a ultra high quality model, and how likely would they notice the subtle difference?

      • Re:Its easy (Score:3, Insightful)

        by argStyopa ( 232550 )
        if the description doesn't fit the checkout assistant won't allow the sale.

        You have never really been IN a big store, have you?

        You walk up to the counter at Target or Wal Mart.
        You hand the checkout person the MP3 player you want to buy. It's an ABC corp 512 meg MP3 player with inegrated everything, $300.

        However, you have switched the RFID codes with the ABC Corp's *bottom* end product, a 32 meg crap Mp3 player @ $14.99.

        The checkout person (9 times out of 10 a new immigrant who probably can't read engl
    • Re:Its easy (Score:4, Insightful)

      by Jace of Fuse! ( 72042 ) on Thursday July 29, 2004 @04:06AM (#9829539) Homepage
      You're not thinking about this right.

      Marking it down doesn't mean marking THAT item down, it simply involves making one item look like another.

      For example... if you program a $50 shirt to look to the scanner like a $14 shirt, instant discount.

      What would be funny though is a pack of balloons being remarked as a package of condoms or some other such amusing change of ID.
      • the more common abuse is to take 2 same items of different category and swap'em. For instance a GeForce4MX and a GForce4ti. Who would notice ? And at a 200$ price difference, the store would lose bigtime.

        But i guess read-only tags will appear soon, as well as tag-writer-scanners or blockers
    • Many supermarkets in the UK (at least Tesco and Safeway, probably others also) currently use a system where reduced products have a new barcode stuck to them which encodes both the original product ID and the reduced price. I would expect that they will want to move on to a similar system if they ever switch to RFID-based item scanning.
    • Why not just have one of the RFID data fields be a digitally signed MD5 checksum on the entire record? In-store scanners could verify the encrypted checksum then hackers would need the store's private encryption key to modify the checksum field.
  • circle (Score:3, Insightful)

    by Outsider_99 ( 761534 ) on Thursday July 29, 2004 @03:40AM (#9829431)
    Doesnt everything go like this? Im sure they will find a solution to the problem... then a new hack will come out... then a solution will come out...
  • W-O-R-M (Score:4, Interesting)

    by usefool ( 798755 ) on Thursday July 29, 2004 @03:41AM (#9829436) Homepage
    Is it possible to make RFID write once read many? So the product info is in the tag, and price/special/discount is cross-referenced with a database.

    Is there any advantage for embedding prices in the tag?
    • Re:W-O-R-M (Score:5, Interesting)

      by Jesrad ( 716567 ) on Thursday July 29, 2004 @04:18AM (#9829580) Journal
      Would it be possible to overlay a forged signal when the tag is interrogated, if I'm standing close enough from the reader ?
      • Re:W-O-R-M (Score:5, Insightful)

        by gd23ka ( 324741 ) on Thursday July 29, 2004 @07:33AM (#9830262) Homepage
        This question deserves both: to be modded up and an answer.

        First of all, there are no widely adopted international standards for RFID but there is work on ISO 18000, so it all depends on whether your reader/forger supports a given tag's vendor protocol.

        The next problem is that RFID systems can operate at different frequencies, the most common ones are 125KHz - 148KHz, high at 13.56 MHz, UHF 850-915MHz and even at 2.45 GHz in the ISM band.

        The tags that will be used in retail at automated checkout counters all have a scheme for preventing tag-collision that occurs when tags respond simultaneously to the reader. In order to hide a $800 digital cam-corder the following would have to happen:

        You bring the forger into the store and operate it where it is not in view of the many security cameras staring at you

        You research the store for a low price article that matches within tolerance what the cam-corder weighs. What that tolerance is,will be open to your own research. Setting the forger to lowest sensitivity / lowest transmit power you read the RFID data of the low-price article. Make double sure the data you read is from the low-price article and not from one of the thousands of tags surrounding you.

        The low-price article may have individual identifying RFID data that must NOT be scanned at the checkout counter, not even after you and maybe your helper have left the store (Remember the security cameras, they could potentially match up your face at the automatic checkout with the article!). Also, again if the RFID data uniquely identifies the article another customer could take it to the automatic checkout and the system could mark the article as already sold in its database meaning you can't purchase it in lieu of the cam-corder. You must disable / destroy the low-price article's RFID tag either physically or with the forger.

        You set the forger to the lowest sensitivy / lowest transmit power to read out the RFID data of the cam-corder. Make sure you get the right RFID data because you will be surrounded by tons of RFID tags. (BTW, it may be safer to read out the RFID data of the cam-corder you want one day and maybe have someone else get it the next day, but if you do that then make sure you mark the box some way that you or your helper takes the right cam-corder to the checkout. This may be because each cam-corder may have unique RFID data).

        You take the cam-corder to the checkout and flip the forger into forge-mode. The forger monitors the radio communication at the reader forcing the transmission of the low-price article's RFID data utilizing the vendors tag-collision protocol to quiet the cam-corders tag. After transmitting the low-price article RFID data the forger jams the reader making the automatic checkout believe this is the only article being presented for purchase.

        Complete the purchase with cash or with credit/debit cards not linked to you.

    • well, there are advantages. faster cashing when you go out for example.

      and it's not like you can't slap a sticker with a fake barcode on a product either, so what's the deal? rfid is just a wireless barcode, a barcode that's easier to read(no need to swipe it across a reader with the right side pointed toward the sensor). nothing more nothing less...

    • The idea is not to rewrite the price in the tag, it's to rewrite the tag to the checkout scanner thinks your getting something else. Rewrite the code for that $800 digital camcorder to a $2 box of pasta that weighs the same. The automated system won't be able to tell them apart, so it will think it's selling you the pasta and charge you accordingly.

      Jason
      ProfQuotes [profquotes.com]
    • Then you run right back into the privacy implications of having RFID at all. I want to be able to overwrite RFID so that I don't have that damn tracking device everywhere I go.
  • ...but I'd love to walk their aisles with something like this in my pocket and do my own price rollbacks!
  • Crypto? (Score:4, Interesting)

    by sk6307 ( 797832 ) <sk6307@btinternet.com> on Thursday July 29, 2004 @03:43AM (#9829442)
    Why not simply store only a cryptographically secure (signed) random unique value on the tag itself, and keep all the other data somewhere else that all the legitimate readers are connected to?

    With a simple database, this is not a problem, since it is computationally infeasable to forge a signature like that.
    • Re:Crypto? (Score:3, Insightful)

      by Anonymous Coward
      It's not that easy. You could still copy the info from one tag to another. Even if all tags contain info encoded with different seeds: When the duplicate "message" arrives at the reader, thereby revealing the breach, the item with the fraudulent tag will long be gone.

      The way to fix this is to make the tag only accept new data (or erase commands) when it's signed with the same key as existing data. But crypto hardware is more expensive and power hungry than simple storage, so it may not even be technically
    • Re:Crypto? (Score:3, Interesting)

      by Jesrad ( 716567 )
      Let's say I have my own RFID tags, wich have a rewriteable serial number and higher signal power output. If I program them to masquerade as some random product I've walked past in the shop, then paste them onto the products I want to buy, could they mask the legit RFID and fool the reader ?
    • I like your crypto idea, but wouldn't it be easier to just have write-once RFID tags?

      There must be some sort of EOT packet in the RFID communications stream - the tag just blows a fuse when it sees the tag, like an FPGA can.

      There would have to be some global namespace assignments so each store could use the RFID from the manufacturer, but I thought that was the plan anyhow. I can't see any reason for a retailer to reprogram an RFID tag - everything beyond the ID will be in their database.
  • by User 956 ( 568564 ) on Thursday July 29, 2004 @03:44AM (#9829448) Homepage
    well DUH.. the DMCA will prevent all of this! Because if something is illegal, obviously nobody will do it!
  • by JanMark ( 547992 ) on Thursday July 29, 2004 @03:49AM (#9829474) Homepage
    When barcodes were introduced, retailers feared barcode swappers, because barcodes were not printed on partitioned labels, like those small price labels used to be (If you can remeber when all items were (manually) priced, you are getting old.) It turned out not to be to big a problem (now most barcodes are printed).

    However, when you can automate something, that is an differend story. With tag swapping, you can play the percentage game, usually the number of individual swappers is small. With automated swapping (esp. wireless), one individual can swap everything. That is a true risk.

    However like the step from label to printon bar code. There is only a small window of opportunity.
    In the near future, we will see read-only tags, embedded during the production fase.
    • by Lumpy ( 12016 ) on Thursday July 29, 2004 @05:40AM (#9829818) Homepage
      (If you can remeber when all items were (manually) priced, you are getting old.)

      here in michigan it's a LAW that all items must be priced. so I see price stickers on every item in the store every single day I go to one... they are manually priced by some 15 year old kid that hate's his job.
    • If you can remeber when all items were (manually) priced, you are getting old.

      Remember when they were? My parents used to own a small village shop - I remember pricing stuff myself...
    • (If you can remeber when all items were (manually) priced, you are getting old.)

      Yet with age comes wisdom - I remember when the big problem at the local grocery store was when people would peel off the price tags in the dairy section from one item (say a quart of milk) and put it on a higher-priced item (say a quart of heavy cream).

      The moisture condensed on the smooth cartons made the stickers' glue less sticky, so the dairy section was most vulnerable. On dry goods one of the quadrants of the sticker
  • by Anonymous Coward on Thursday July 29, 2004 @03:54AM (#9829494)
    I don't think it's on the web yet but it describes how some RFID tags work (all of them? Some? I dont' know).

    Here's a summary:

    The scanner basically gets all the RFID tag info from all the tags at once, on the same frequency, which as you can imagine creates a lot of noise. In order to find out what tags are in the area, you have do a binary search. First ask all the tags that have a 1 in the first digit of their serial numbers to reply. Then the ones with zero. Then all of the "10's", the "11"'s, etc. And so on down the line, pruning empty subtrees as it goes, until it knows all the nearby RFID tags.

    The article described a custom RFID tag that just always responds to all serial numbers. Tying up the scanner for 1^64 (or is it 1^64 factorial?) iterations of the algorithm (forever, basically).

    Pretty neat. I will definitely be carrying one of those in the future. "Hey, whenever that guy comes in the store, all our inventory disappears"
  • by selderrr ( 523988 ) on Thursday July 29, 2004 @03:58AM (#9829510) Journal
    i have seen pranksters swap prices tags on items many times before (no special equipment needed). The only more or less robust system seems barcodes...
  • Competitors (Score:5, Insightful)

    by detritus. ( 46421 ) * on Thursday July 29, 2004 @04:03AM (#9829526)
    One thing I have always seen as a potential problem is a store's competitors using RFID scanners to take inventory and/or monitor what their competitor's customers are walking out of the store with.
    Any data you can get on your competitors is certainly better than none at all.
    • They made it a jailable offence to enter a movie theatre with a video camera. They're banning camera phones from some public areas (swimming pools, etc) It wouldn't surprise me if they banned RFID scanners from shopping malls. Imagine if every RFID scanner incorporated a unique RFID which another scanner can scan. Then the scanner's scanner can scan your scanner and avert your scanner scam.
  • by zyche ( 784345 ) on Thursday July 29, 2004 @04:11AM (#9829556)

    I have an idea that I've been thinking about for a while.

    Some of us choose what to buy on the basis on how well-behaved the producing company is. Nothing new here. Some "bad" companies and their products are easy to indentify: I try to not buy anything from Nestle (breastmilk substitute in Africa), McDonalds (cutting down rainforests), and so on. As you can see from my reasons, they are probably a bit outdated as it can be hard to get good consumer information through the media noise.

    Ok, heres the thing: most products these days have an EAN/UCC [ean-int.org] code. The number in that code includes an identifier for the selling company. What if the Internet community would create a database of companies and start setting grades on them with regards to product quality, environment concern, workforce treatment, and so on?

    "But it would be too much of a hassle to query the database each time one buy cerials" you say. Sure, but consider two things:

    • Most mobilephones today (and certainly more in the future) have a builtin camera. Use that to photograph the EAN code, run a picture recognition program (in the phone ofcourse) and either compare to a snapshot database in the phone or check the online database directly!
    • You will quickly learn to avoid certain brands, and also educate people in your surrondings (friends, relative, etc).

    How do RFID fit into this? Well, imagine a clock that vibrates when you are about to touch some ethically questionable item! :-D

    RFIDs have been creating a lot of interest in the industry as it gives them better control over where items are, who buys them, if they return, etc. Now, if consumers could easily boycott a company due to bad quality or unethically behavior, the whole idea could backfire on them!

    • Just my 2 cent, but in most selling point it is prohibed to use camera to shot product and product prices. Shooting the EAN code could be interpreted as shooting the product.
    • Well, imagine a clock that vibrates when you are about to touch some ethically questionable item
      Sounds like something that could make you a public enemy [lisag.com]
    • How do RFID fit into this? Well, imagine a clock that vibrates when you are about to touch some ethically questionable item!

      So when wouldn't it vibrate?
    • I can't find the reference, but I believe a student has already made a demonstrator as a college project.

      It should be pointed out that scanning the barcode is NOT photographing it and the shops would have difficulty arguing against the practice. If anything, it might direct shoppers to the ethical goods shelves where margins are higher...
      I think there is a case for aids for the partially sighted that would scan barcodes to report back what is on the shelf. Adding an ethical score to the internal database wo

    • I see myself hacking a cue cat and affixing it to a palm pilot. A downloadble database, built and moderated by an internet community, with a bar code, a short blurb about the product and company in question, and a couple ratings - say, 0-5 stars for the product, based only on it's function as a product, and another 0-5 stars for the company, based on the environmental issues, labour practices, etc. The only concern is making sure nobody's poisoning the database.
  • Even more fun! (Score:3, Interesting)

    by ConsumedByTV ( 243497 ) on Thursday July 29, 2004 @04:12AM (#9829558) Homepage
    This article is a trival example of something you can do, a bomb would be much more damaging and more of threat as RFID is used for ID (with regards to people, not products. Unless you consider for a second that it makes them products, but i digress).

    I really can't wait until we have time bombs that are a result of the number of times a given person walks by with their RFID tag on. 10, 11, 12, booom.

    Food for thought anyway.
  • by paulikoira ( 226784 ) on Thursday July 29, 2004 @04:13AM (#9829561)
    Concerning expensive RFID tag applications like public tranport prepaid accounts, this could be a problem. More expensive crypto tags solve that problem.

    Concerning stores, this is stupid. Retailers don't need expensive reprogrammable tags and don't use them. Cheap tags are just a unique ID number which can't be changed. Any decent retailer saves money on tags and increases security by using cheap tags (no data storage, just a fixed number) and keeping their price and product data in a database keyed to these ID numbers. So talk of walking through Wal-mart and saving money or causing chaos is fantasy.

    Conclusion: it is only the medium price (storage but no crypto) tags which are and always have been a risk. The only contribution of this program is raising wider awareness and thus breaking illusory security through obscurity.
  • Guess my personal boycott of WalMart is over. Watch out for falling prices Sam.

    Yes, I know they don't 'tag' each item,.....yet.
  • This is plain hype (Score:3, Insightful)

    by Anonymous Coward on Thursday July 29, 2004 @04:23AM (#9829596)
    Who would be silly enough to purchase programmable RFID tags.

    In any secure application you don't keep the important info on the portable device! You put it in a secure database where all the security risks are known. The RFID tags should have a non-programmable, non-erasable fixed unique code.

    The scaremongering that this thread typifies is both stupid and done to death.
  • I for one would be delighted to see smirking hackers walking along the aisles of departement stores, wiping every RFID tag in site. At least that would wipe the smirks off the faces of marketing execs who lust after every intimate detail of our lives.

    If they try to kick you out, dump the zapper in some old ladies trolley. She'll march about for hours, wiping any spy gadgets in the buliding. Some might construe this as vandalism, but I construe reading dozens of RFID tags, covertly embedded in every item I buy, an illegal search.

    Of course execs will find some law (can you say DMCA) to label any such defenders of privacy evil criminals who seek to undermine the economy and of course the usual line, RFID helps fight terrorism or some such rubbish. They're probobly looking for a way to make RFID blocker tags illegal as well.

    Unfortunatly, the solution may be simply to make RFIS tags read only, further compounding the privacy issue.
  • Why not use digital signatures?
  • underage hackers could purchase alcohol or adult movies, and pranksters could simply reprogram the inventory of an entire store by just walking up and down the isles.

    COOL!
  • by happynut ( 123278 ) on Thursday July 29, 2004 @04:58AM (#9829683)
    This case was already covered in the older RFID specs that used to appear at www.autoidcenter.org (they have since become viewable to membersonly when they handed standards off to www.epcglobalinc.org several months ago).

    In order to write data to the tag you needed to know a 64bit number that was programmed into the tag. The standard didn't say how you set that number; that was policy reserved to the tag programmer. But in order to have a write command accepted, you needed to match the previously programmed number.

    So if commercially deployed tags really are generally writeable it is more of an administration problem (like leaving telnet enabled on public facing servers) than a failure to consider the problem at all.

  • by syberanarchy ( 683968 ) on Thursday July 29, 2004 @05:04AM (#9829708) Journal
    Let's be honest, the biggest advocate of this stuff (walmart) isn't exactly the employer of rocket scientists. I have called them before at midnight, asking if they had Socom and the PS2 Net Adapter (when that was the "new thing.")

    "Oh, yeah, we have it."

    I get there, and it turned out they didn't have it. They had an AC Adapter.

    A clerk who cannot tell the difference between something that lets you go on the internet and something that plugs into the electric socket will be easily fooled by the RFID swap. Even if someone DOES check your bag, do you think "Joe Walmart" is really going to be acute enough in his observation to recognize that you've got the high end ATI card, and not the 9600? Doubtful.

    It'll be great to watch Wal-Mart reap the fruit of the seed they've sown - lost merchandise, lost profits, etc. And it's quite fitting that this really has nothing to do with RFID, but their unwillingness to go the extra mile to spend a few more bucks to get employees who know what they are doing.

  • So you actually expect the 1337 kids to *buy* adult movies? I wouldn't be surprised if those very kids have access to this thing called "internet", where free adult content is not in short supply...
  • Some SCO's, maybe. (Score:5, Informative)

    by ONU CS Geek ( 323473 ) * <ian,m,wilson&gmail,com> on Thursday July 29, 2004 @06:17AM (#9829942) Homepage
    From what the submitter had mentioned, he thought it would be possible to reprogram RFID tags to use to cheat a SCO...I'm not really sure about how the RFID stuff works, so I can't really say much about that, however, I do know a bit about the SCO's.

    Some SCO's (namly those by ACM/IBM) have a secondary server that handle the interactions with the cash register controllers (sometimes called the BOSS server). They have a 'security profile' that lets a SCO learn pieces of information about an item (dimensions, weight, that kinda thing) and if the item doesn't match a security profile, it'll kick it back, until a cashier scans their card to get it to learn the item.

    Other SCO's use a weight-based system. I'm not totally sure if the scales weigh all items and go from item to item specifically, or from item to item just to see if the item's been placed in the 'bagging' area (if not a pass around item).

    A properly set-up SCO won't allow things like this anyway. Really, nothing more than barcode switching.
  • What an incredibly patronising, stupid, and, just plain wrong thing to say.

    Walmart, Tescos, Carrefour (pick your local mega retailer) are incredibly sophisticated in thier use of technoligy. They all have first class inventory managment, ordering and distribution systems. With the advent of customer loyalty cards they drove data warehousing technoligy to new heights. In addition the "old" retailers have significant market share in e-commerce.

    And this guy thinks they will have problems implementing what is

  • RFID Tags (Score:5, Insightful)

    by butlerdi ( 705651 ) * on Thursday July 29, 2004 @07:08AM (#9830114)
    The tags do not generally contain data and for the most part are read only in the new systems. The tag only contains an identifier which is used to access the info just like a barcode. Changing the number to another at the checkout would still display the id of the product. You have a watch at the checkout and the till shows a tin of beans.... These systems are not that easy to hack in reality, at least no more so than barcodes. Most people do not change the price tags either out of honesty or fear of being caught. I doubt very much that jewelry stores will ever have self checkout lanes.
  • More crazy laws... (Score:3, Insightful)

    by Wubby ( 56755 ) on Thursday July 29, 2004 @07:53AM (#9830409) Homepage Journal
    I would expect that instead of actually fixing the technology (if possible) adopters and promoters of RFID will start a massive campaign of lobbying for harsh federal laws that make it illegal to possess, create or look at any device that could possibly be used in "hacking" RFIDs. These would include (but are not limited to:

    RF detectors
    Calculators
    pencils
    human brain
    words

    -I'm not the troll you're looking for.
  • encryption (Score:3, Insightful)

    by emorphien ( 770500 ) on Thursday July 29, 2004 @07:56AM (#9830426)
    At least RFID can handle some types of encryption. A encryption key can be kept in the reader and since it doesn't have to be broadcast this isn't necessarily a huge problem. And since RFIDs can be managed automatically if someone really was worried the whole system could check and rewrite each items data once a day or something to make use of a new encryption key.

    Some people have already looked in to this, although of course retailers don't pay attention anyway.
  • Can be secured (Score:3, Interesting)

    by jimngo ( 320248 ) on Thursday July 29, 2004 @08:22AM (#9830651)
    I am working on an RFID client project at my company. There are read-only tags and read-write tags. The read-write tags can also be locked on a per-byte basis so that those bytes can never be written to again. Believe me, the system can be secured.

    By the way, the /.'er that dissed Walmart's technology because of his experience with their sales people is pretty myopic. I'm definitely no fan of Walmart--last time I stepped into one was about 10 years ago--but their distribution system is incredibly efficient. In 1993, their gross sales were $USD244 Billion. The U.S. GDP was 10.98 Trillion, so if my math is correct, their sales amounts to 2.2% of the U.S. GDP. That is a lot of inventory for a single company to move around the world. Of course, they have 3rd party distributors that bring in a lot of their products, but they still have to keep track of that as well.

    For mass retailers like Walmart, RFID will work much better than barcodes and it will probably be first implemented in the distribution system, not the sales system. One RFID tag will keep track of a single shipment lot, case, box, whatever.

    RFID tags will NOT replace barcodes in the forseeable future. But they can accomplish some things better than barcodes so they will coexist.
  • by mengel ( 13619 ) <mengel@noSpAM.users.sourceforge.net> on Thursday July 29, 2004 @08:29AM (#9830726) Homepage Journal
    The thing is, UPC barcodes are hackable too. You can print a couple of barcodes on sticky labels on any old printer, and stick new barcodes on the item, and I expect most stores wouldn't really notice. In fact, Slippery Jim DiGriz was doing that in the Stainless Steel Rat books quite a few years ago (Okay, so he was messing with the barcodes with a good old pen, by hand, but you get the idea).

    What is cool about the RFID stuff is that I bet with the right antenna, you could do the reprogramming from the parking lot, and do a whole shelf full (store full?) at once. Suddenly, everything in the store is a 50 cent pack of Wrigley's...

  • Cheap for home use (Score:4, Insightful)

    by abreauj ( 49848 ) on Thursday July 29, 2004 @12:00PM (#9833114) Homepage

    Seems the discussion here has been mainly about ripping off the retailer. I think the idea of erasing them after purchase for privacy reasons is far more improtant.

    However, another way to look at it is as a cheap way to get tags to use at home. I've got large collections of CDs, videos, and books in my house, and it's always a real pain in the ass trying to find something I haven't used in a couple years. If I'm getting all these RFID tags for free in the products I buy anyway, and I'm able to erase and rewrite them easily, then perhaps I can remove them from the products and redeploy them into my books, CDs, etc, and then use an RFID reader to more easily find things.

    Sure, it would be a long-term project to get everything tagged and inventoried, but so what? I'd be able to easily find things I'd already tagged, and if I have to search for something that wasn't tagged, it would be easy enough to tag it once I find it.

You are always doing something marginal when the boss drops by your desk.

Working...