This article can also be found in the Premium Editorial Download "Information Security magazine: Keep today's threats close and tomorrow's closer."

Download it now to read this article plus other related content.


    Requires Free Membership to View

The reported attacks of RFID tags--such as RSA Security's 2005 hacks of the tag used in the Exxon Mobile Speedpass, and the fall 2006 hack of RFID credit cards--have been by computer scientists tinkering in laboratories. Since some of these scientists are among the world's leading cryptographers, the industry is taking notice.

Here are two well-documented developments in EPC hacking:
  • In February 2006, RSA Security researchers showed how they could use a side-channel attack to determine a Generation 1 tag's password to kill the tag. They argued that the same method could be used to kill Generation 2 tags and crack other data stored on the tags. (www.rfidjournal.com/article/articleprint/2183/-1/82/)

  • In July 2004, German security consultant Lukas Grunwald released the software tool RFDump, which works with an RFID reader and a PC to rewrite the data stored on EPC tags, and could be used for retail fraud. (www.rf-dump.org)

As it has been with the RFID credit cards, demo attacks by researchers such as Fu will be the first we will see against EPC. "Now is the time to start worrying about this," says Ashton. Backers of the EPC standard want to eventually go beyond shipping containers and palettes and replace all of the barcode labels on individual store items with EPC RFID tags. That way, companies will be able to track an item from the assembly line to the register, and even into a consumer's home.

But EPC Gen 2 tags can be cloned and spoofed by counterfeiters and thieves targeting the supply chain, says Ashton. (See "RFID Attacks") For example, crooks could clone tags from authentic Louis Vuitton handbags and place them on fake items. In a spoofing scenario, a laptop emitting RF signals could tell a warehouse reader that a shipment of video game consoles is accounted for, long after thieves have made off with the units. Or, criminals lurking outside a retail store could intercept transmissions between EPC tags and checkout readers--called a side-channel attack--to snag the details of a transaction, such as potentially sensitive drug purchase information.

Eventually, more sophisticated attacks against RFID tags will take place within stores, says Novak. For example, early retail store hackers might be able write new item descriptions and prices to RFID-tagged items. Rather than paying $2,500 for a flat screen HDTV, for example, "an RFID hacker could program the tag to ring up as a less expensive product."

U.S. Department of Homeland Security is planning to use the EPC Gen 2 tags in its PASS Card border ID system. The PASS Cards will be an accepted substitute for passports at some U.S. border checkpoints.

That's not a good idea, says Ari Juels, principal research scientist and manager at RSA Security's RSA Labs.

"Using EPC tags for border control--that's worrisome," says Juels, who is among the coauthors of the RFID credit card hacking study with Fu. Unlike the RFID technology used in credit cards, EPC Gen 2 tags "have very few explicit security features," he says.

Juels says that someone could possibly scan the EPC tag on a PASS Card border ID several feet away and create a makeshift radio device, if not a cloned tag, which emits the same uniquely identifiable data as that tag.

This was first published in January 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: