Low-cost RFID tags--many of which are smaller than a nickel and cost less too--are already being added to packaging by retailers to keep track of inventory, but could be abused by hackers and tech-savvy shoplifters, said Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH. While the technology mostly threatens consumer privacy, the it could allow thieves to fool merchants by changing the identity of goods, he said.
"This is a huge risk for companies," Grunwald said during a discussion at the Black Hat Security Briefings here. "It opens a whole new area for shoplifting as well as chaos attacks."
While expensive RFID reader hardware and hard-to-use software have hindered security research in the area, Grunwald said that's no longer a hurdle. The security expert announced during the session a new software tool he helped create that can be used to read and reprogram radio tags.
When such tools become widely available, hackers and those with less pure motives could use a handheld device and the software to mark expensive goods as cheaper items and walk out through self checkout. Underage hackers could attempt to bypass age restrictions on alcoholic drinks and adult movies, and pranksters could create confusion by randomly swapping tags, requiring that a store do manual inventory.
Grunwald's software program, RFDump, makes rewriting RFIDs easy. While there are significant malicious uses of the program, consumers could also use it to protect themselves, he said.
"Everyone should have the right, once they leave the store, to erase the RFID tags," he said. Deleting information on the tags would allow people to stop RFID checkpoints in stores and other places from tracking which products they are carrying, or which have been inserted under their skin.
Solving the business security issues may not be easy. While encryption could be used to hide data from unauthorized snoopers, not many RFID chips can handle the more-involved task of crunching cryptographic keys. Moreover, the RFID tags that can handle those tasks are among the most expensive on the market and not something you would stick on a cream cheese box at the grocery store, Grunwald said.
Store owners could have a database server that they program to track their goods using the unchangeable serial number on the RFID tag, however that adds a lot more complexity to the adoption of such technology, Grunwald added.
"The people who will be using this (shopkeepers) don't know much about technology," he said.
