RFID data can be hacked!

LAS VEGAS-Even as Indian enterprises are gearing up to adhere to the Wal Mart mandate of deploying RFID technology, there comes a shocker from a German consultant who has released a tool that will allow modifications of the code stored within RFID tags. This will theoretically allow consumers to wreak havoc in future retail deployments. The tool was released as part of a talk at the Black Hat 2004 computer security convention dedicated to IT security.

The RFDump software allows a user equipped with an RFID reader, a laptop or PDA, and a power supply to rewrite the data stored in ISO 15693 tags, the most common tags used to host the EPC (Electronic Product Code) information traditionally stored in bar codes.

Although each RFID tag carries with it a unique product ID, the EPC is stored in the "user area" portion of the chip, which allows it to be rewritten. That poses problems to both consumers and retailers, RFDump's author, Lukas Grunwald, a senior consultant with Hildesheim, Germany-based DN-Systems Enterprise Solutions GmbH, said: On one hand, consumers could defraud a retailer by reprogramming a premium item as a cheap commodity.

On the other hand, consumers would have to worry about the items in their shopping carts being read by "Big Brother," or at least the many retailers in a shopping mall. And there's an even worse scenario: "It is only a matter of time before someone puts a root exploit on one of these tags and hacks into your supply chain," Grunwald said.

Citing probable instances of the abuse of RFID, at the convention, Grunwald said that since data can be modified freely, a customer in a departmental store might mark a lower price on a product before paying at the counter or one can reprogram the inventory of a store. This means RFID, can be, in effect hacked. Thus this is a timely warning that blind adoption of RFID might leave security holes for hackers to exploit.

In Europe, the Gillette Co. has used RFID tags inside packages of razor blades to minimize theft, Grunwald said. And Wal-Mart Stores, the world's largest company, and the U.S. Department of Defense have separate programs to rework their supply chains around RFID tags by next year. By 2007, all manufacturers, retailers, drug stores, hospitals and smaller retails will use the tags, according to Robin Koh, a member of the Auto-ID Labs industry consortium. Already, RFID tags are popping up inside consumer loyalty cards.