New tool demonstrates hacks against RFID tags
- By William Jackson
- Jul 28, 2004
LAS VEGAS'Smart-tag technology using radio frequency ID is being developed without security in mind, raising concerns about consumer privacy and risks to security of the organizations using the tags.
Some of these risks were demonstrated today at the Black Hat Briefings security conference using a new hacker tool that lets users read and write to the tags.
The Defense Department is advancing the development of the technology by requiring its suppliers to use the tags on shipments at the case and pallet level. Isolated tests of the tags are taking place in Europe and the United States.
The Food and Drug Administration is issuing guidelines for the use of RFID technology on commonly counterfeited drugs. The tags are to be used by all drug manufacturers, wholesalers, hospitals and most retailers by 2007.
Some companies are testing the tags at the individual product level, and some tests are being done of weaving the tags into the fabric of clothing.
'It is only a matter of time before smart tags replace the good old bar code,' said Lukas Grunwald, CTO of DN-Systems Enterprise Internet Solutions of Germany. 'It is only a matter of time until everybody will wear at least one RFID tag.'
The benefits of the technology include improved inventory control and better tracking of sales and customer behavior.
'But you can exploit nearly all of these benefits,' Grunwald said.
The problem is that the 128 bytes of data on most tags are visible to anyone with a reader. No tags now are read-protected, and few are write-protected.
Grunwald demonstrated a beta version of RF-DUMP, software that runs on a notebook or personal digital assistant, that lets the user read and write to most standard smart tags.
The software, used with easily available readers, would let customers rewrite tags in a store. Stores also could rewrite tags to ID customers by associating a purchase with credit card information, creating a wearable personal cookie that could be used to track someone in a store.
Grunwald warned that dependence on an unsecure technology could put users at risk, and creation of a new critical infrastructure could open a new avenue of attack for terrorists.
He advocated the right of customers to destroy or deactivate the tags to prevent their misuse.
William Jackson is a Maryland-based freelance writer.