Theft From Afar: Hacking into RFID
Radio frequency identification (RFID) technology is used in everything from retail antitheft devices to inventory tracking and access control. It’s gaining in popularity as a security solution, but companies should be aware of its vulnerabilities, say experts.
For example, tech-savvy attackers could hijack a pallet of RFID-tagged merchandise without ever getting close to the goods, explains Kevin Mahaffey, director of development with Flexilis, a company that researches mobile-device security. Mahaffey discussed the issue at this year’s Black Hat conference, where he demonstrated how anyone with the right equipment could read an Electronic Product Code (EPC) tag from as far as 69 feet away.
EPC tags are the ones that large retailers, like Wal-Mart, and the Department of Defense will be using for item-level tagging. The tags carry unique serial numbers that identify items and use very little computing power, Mahaffey says, and thus are fairly easy to compromise.
Reading a tag from so far away is less of a security threat than changing the data on a tag, but “if you can read a tag, you can also write a tag, it’s just a matter of what commands you’re sending,” Mahaffey says. Writing over data would allow someone to, say, replace the identification data of a pallet of digital cameras with data from a pallet of potato chips that are to be delivered to a confederate’s store. The outgoing reader system will simply route the shipment of cameras according to the tag data.
Dan Mullen, president of the Assosociation for Automatic Identification and Mobility (AIM Global), disputes the claim that writing over a tag’s data is as easy as reading it, saying there are many ways to prevent that from happening.
In fact, both current and upcoming standards of EPC tags do offer some security features, but Mahaffey says these features are less likely to be widespread because they increase the price of tags and make them less convenient. For example, read-only tags would prevent an attacker from overwriting them; but, Mahaffey says, “a lot of companies don’t like that because they like to be able to change the way they number things and possibly add additional data on a tag.”
The kind of research Mahaffey is doing will ultimately help companies to secure their RFID systems better, says Erik Michielsen, director of RFID and of ubiquitous networks at ABI Research. RFID technology is not meant to stand on its own, he says, but rather to be part of a well-secured supply-chain architecture that balances automation and human interaction.
“It’s a complementary technology, used as part of an overall IT/logistics solution,” Michielsen says. “You have to figure out what the checks and balances are going to be with how much automation is necessary for RFID, and what are the additional checks and balances that complement RFID.”
The Black Hat presentation also discussed easy-to-build devices that could cause a denial-of-service attack on an RFID reader. “You could point an antenna at an antitheft system at the exit of a store, and make it not work,” Mahaffey says. “RFID is very sensitive to interference. You could probably do it with a ham radio,” he adds.