August 02, 2004

German security consultant Lukas Grunwald has released a tool he names RFDump, that can be used to read, and apparently in some contexts, change the contents of an RFID tag. Handy for discounting your purchases, you'd think, but as far as I can see, this would only apply to read/writable tags (and here possibly actually containing the price information), as opposed to read-only "serial number"-style tags. Serial number / product code tags would generally be used by a business to identify the item; the price would then be looked up from a pricing database; changing this price would require more traditional hacking, unrelated to RFID. Furthermore, generally one would also assume full scale consumer implementations to have a certain level of encryption in place.

Still, his point is proven, and businesses implementing RFID in their supply chain should not ignore the abilities of black hat hackers.

Related links:

Posted by andersja


I think it's reasonable to be skeptical of the value, on balance, of RFID to retailers, i.e., where what might work well in a well-controlled supply chain environment (where one or a few commerce partners are exchanging products and data, and employees can be trusted, to some degree, or at least monitored) runs off the rails in a much messier environment, including the possibility of malicious parties attempting to swap in new values. See this whitepaper (http://www.stapleton-gray.com/papers/sk-20031113.PDF) for thoughts in this area; we're maintaining a blog on issues around RFID, surveillance and privacy: http://www.stapleton-gray.com/surpriv/

Posted by: Ross Stapleton-Gray at August 4, 2004 02:45 AM
Post a comment

Remember personal info?