RFID security - Part 3: Threat and target identification

We have learned how blocking the RF might work for someone attempting to steal a single item. However, for someone looking to steal multiple items, a more efficient way is to change the data on the tags attached to the items. Depending on the nature of the tag, the price, stock number, and any other data can be changed. By changing a price, a thief can obtain a dramatic discount, while still appearing to buy the item. Other changes to a tag's data can allow users' to buy age-restricted items such as X- or R-rated movies.

When items with modified tags are bought using a self-checkout cash register, no one can detect the changes. Only a physical inventory would reveal that shortages in a given item were not matching the sales logged by the system.

In 2004, Lukas Grunwald demonstrated a program he had written called RF Dump. RF Dump is written in Sun's Java language, and runs on either Debian Linux or Windows XP operating systems for PCs. The program scans for RFID tags via an ACG brand reader attached to the serial port of a computer.

When the reader recognizes a card, the program presents the card data in a spreadsheet-like format on the screen. The user can then enter or change data and reflect those changes on the tag (see Figure 24.11). RF Dump also makes sure that the data written is the correct length for the tag's fields, by either padding zeros or truncating extra digits as needed.

Alternately, a personal digital assistant (PDA) program called RF Dump-PDA is available for use on PDAs such as the Hewlett-Packard iPAQ Pocket PC. RF Dump-PDA is written in Perl, and will run on Pocket PCs running the Linux operating system. Using a PDA and RF Dump-PDA, a thief can walk through a store and change the data on items with the ease of using a handheld Pocket PC.

Grunwald demonstrated the attack using the same EPC-based RFID system that the Future Store in Rheinberg, Germany, uses (see www.futurestore.org).The Future Store is designed to be a working supermarket and a live technology-demonstration store, and is owned and run by Metro AG, Germany's largest retailer and the fifth largest retail chain in the world.