Sour Grapes
Of course we're Fair and Balanced!


Hacking RFID

Michael Geist's Internet Law News pointed me to an encouraging News.Com article that makes it sound like we, the public, if we choose to, will be able to read, write and erase RFIDs after we buy products containing them. The article makes it sound fairly easy for us, the geek public. If there's enough demand, I'm sure some subset of these capabilities, e.g. the ability to erase RFIDs, could be made readily and cheaply available.

While [RFID] technology mostly threatens consumer privacy, the new technology could allow thieves to fool merchants by changing the identity of goods, he [Lukas Grunwald, a senior consultant with DN-Systems Enterprise Solutions GmbH] said....

While expensive RFID reader hardware and hard-to-use software have hindered security research in the area, Grunwald said that's no longer a hurdle. The security expert announced during the session a new software tool that he helped create that can be used to read and reprogram radio tags.

When such tools become widely available, hackers and those with less pure motives could use a handheld device and the software to mark expensive goods as cheaper items and walk out through self checkout. Underage hackers could attempt to bypass age restrictions on alcoholic drinks and adult movies, and pranksters could create confusion by randomly swapping tags, requiring that a store do manual inventory.

Grunwald's software program, RFDump, makes rewriting RFIDs easy. While there are significant malicious uses of the program, consumers could also use it to protect themselves, he said.

RFDump is described as

a tool to detect RFID-Tags and show their meta information: Tag ID, Tag Type, manufacturer etc. The user data memory of a tag can be displayed and modified using either a Hex or an ASCII editor. In addition, the integrated cookie feature demonstrates how easy it is for a company to abuse RFID technology to spy on their customers. RFDump works with the ACG Multi-Tag Reader or similar card reader hardware.

It's available in three forms: as a Perl script, as a Java application, and as a Gtk application. The latter two even have GUIs.

Blog home
Blog archives