Of all the things that radio frequency
identification technology was supposed to do for retailers--simplifying
inventory management and supply chain issues, for instance--creating
a new type of theft wasn't one of them. But that is exactly
what could happen, and a German information security consultant
can prove it. Consider the following scenario.
A would-be scofflaw heads into a grocery
store where all the products have RFID tags on them. Rather
than paying $7 for a bottle of shampoo, he'd rather pay
$3. To make that happen, he whips out a PDA equipped with
an RFID reader and scans the tag on the shampoo. He replaces
that information with data from the tag on a $3 carton
of milk and uploads it to the shampoo bottle tag. When
he reaches the check-out stand--which just happens to
be automated--he gets charged $3 instead of $7, with the
store's computer systems none the wiser.
Lukas Grunwald, the German consultant,
says this is not only possible, he's done it. That is,
he's changed the information on the RFID tag. He didn't
actually steal anything. To prove his point and let others
learn about RFID tag security, he's created a free software
program called RFDump that is the result of a few years
of research into RFID. He presented his findings and announced
the release of the software at the Black Hat Security
Briefings conference in Las Vegas today.
"There is a huge danger to customers
using this technology, if they don't think about security,"
Grunwald says.
This kind of disclosure--complete with
a software release that could potentially be misused--is
not unusual for Black Hat, a gathering where IT security
pros talk frankly about the latest in computer security
problems and how to solve them. But don't put your Luddite
hat back on just yet.
Companies like Wal-Mart Stores (nyse:
WMT - news - people ) and Target (nyse: TGT - news - people
) are slowly embracing RFID as the next great boost to
their supply chains. But they, like most companies, aren't
yet tagging individual items, which is what Grunwald hacked
at a store belonging to the Metro retail chain. Instead,
they are putting RFID tags only on large cases and shipping
pallets until the cost of item-level tagging comes down.
A Wal-Mart spokesman says there is no price information
on its pallet tags.
Albrecht Truchsess, a spokesman for Metro,
says the company is now creating item-level tags for three
products: cream cheese from Kraft Foods (nyse: KFT - news
- people ), Pantene Shampoo from Procter & Gamble
(nyse: PG - news - people ) and razor blades from Gillette
(nyse: G - news - people ). He also says that since the
tags are being tested only at Metro's Future Store, a
demonstration project bringing together several new retail
technologies, their security isn't strong by design.
"What we're doing in the Future Store
is using the RFID tags for smart-shelf applications,"
says Truchsess, referring to shelves that track what has
been placed on them. "And the sort of tags we're
using are very basic. It's really just a test right now."
Metro expects it will take ten years or
more before all store items have their own RFID tags on
a regular basis. "The ones we're using now cost about
30 or 40 cents each," says Truchsess. "More
secure tags are too expensive right now."
Pete Abell, an RFID consultant at Boston-based
EPCGroup, says that as stores adopt the technology beyond
the test phase, any shopper who brought his own RFID reader
into a store would likely be detected. Secondly, he says,
tags on products would be programmed to respond only to
authorized readers. Finally, he says, the industry is
working on stronger encryption than what is available
now. "Currently there's only 8-bit encryption available,
and that is pretty easy to get around," he says.
"And in this case I doubt even that was in place."
|