Related to:
July 21 2006 02:53 PM

There have been a lot of recent �news� stories about so-called RFID �hacker software� that was released at the Black Hat security conference. Developed by a German computer consultant, this hacker software claims to be able to read the data from any RFID tag and even change it! Both mainstream and technical media alike have jumped on this revelation and have imagined a different number of scenarios that predict dire consequences. The hacker software program�s developer claims to have read and rewritten EPC data from an ISO tag successfully. And this, so he says, shows the vulnerability of the technology to attack. He has made the program available to anyone who wants it.
 
Following this startling announcement, articles with headlines such as �RFID an Opportunity for Shoplifters, Says Experts,� �A Hacker�s Guide to RFID� and �RFID Hacking Tools Released� all suggest that RFID tags are even more vulnerable than, say, your PC or Wireless LAN to attacks by hackers and other miscreants. The articles imagine possible �hacker� activities that range from low-level �shoplifting,� where customers change the EPC data on a product in order to pay less than the actual price, to high-tech, where thieves rewrite product ID on a truckload of computer chips to facilitate theft. Even the �industry experts� cited in some of the articles admit that it�s possible to read and write to these tags because current EPC tags don�t have encryption. With this level of insecurity, who in his right mind would trust important data to an RFID tag or label?
 
The Reality Check
What these reporters overlooked (or didn�t know) is that the hacker software does exactly what you�re supposed to be able to do with RFID tags. You�re supposed to be able to read them.  You�re supposed to be able to change the data on rewritable tags. The �startling� announcement was equivalent to announcing hacker software that � gasp! � could read and write data on a CD-R/W disk!
 
The amount of media buzz created by this hacker software clearly showed two things:
1) reporters, as well as the general public, are generally unaware of the fundamental design and wide range of options of RFID technology, and
2) it�s far more important to have a good headline than good facts.
 
The Technology Story
Why was the media so easily misled? RFID is still a relatively new technology and is a relatively complex technology, with all the variations, options and capabilities available. To give this a bit of perspective, from the earliest implementation of U.P.C. barcodes, newspaper articles would periodically appear claiming that barcode �scanner errors� were responsible for continually overcharging customers. It is only now, after more than 30 years, that reporters have finally understood that overcharging and other pricing variants are due to inaccurate data in the store�s database, not barcode misreads.
 
So, to help you understand the issues the next time you see scary headlines about RFID or EPC, here are some of the pertinent facts that were overlooked in these articles:
 
1) EPC labels that would be used on products are either preprogrammed (read-only) or write-once read-many (WORM).  In other words, they cannot be rewritten by anyone � the manufacturer, the store or a �shoplifter.�  (Think of a CD-ROM.)
 
2) All RFID tags, even read/write tags, have a burned-in serial number that cannot be changed.  This serial number could serve as a security feature to provide a backup link to verify that the data in the shipper�s database matches the data on the label.  (Think of a computer hard drive�s serial number that remains fixed even if the drive is reformatted.)
 
3) You cannot write data to labels through the metal walls of a trailer. You would have to open the trailer and rewrite each label one at a time.  (If you have the time and opportunity to do this, why even bother rewriting the tags?)  Even if you did rewrite all the tags, the idea is to automatically read shipment data as shipments arrive.  The sudden appearance of a trailer load of, say, red rubber balls when you were expecting CPUs would be instantly noticeable.
 
The Real Story
Buried in all these reports was the fact that the hacker software developer read and rewrote EPC data on an ISO tag.  While this hardly seems significant (in fact, only one of the articles mentioned it), it is a very important detail. ISO and EPC tags are very different; they use different protocols and have different capabilities and data capacities.
 
While it might be a somewhat valid exercise to show that you can read and rewrite EPC data on an ISO read/write tag, (remember, you�re supposed to be able to do this), using this type of tag as an �item level� example is completely spurious. Had the developer attempted to use a real EPC tag, his demonstration of the �vulnerability� of EPC item-level tags would have failed. This situation only serves to underscore the fact that, from a purely technical perspective, RFID is more complex (or �option rich�)  than most people realize.  However, from a user perspective, all the tools to read and write both ISO and EPC tags are already in place (no need for special hacker software). The fact that the available tools are fairly �agile� in order to make the technology relatively straightforward for users can also make it seem as if RFID is a single technology solution where all of the different options are more-or-less interchangeable. The growth and standardization of 802.11 a/b/g (WiFi) has reinforced this mindset.  Unfortunately, it�s not a good analogy.
 
Readers and encoders do exist that can recognize both ISO and EPC protocols, but that doesn�t mean the protocols are the same thing.  It would be like saying that, since a 747 and a B1 bomber are both aircraft and use the same type of fuel, they are essentially equivalent.
 
The Bottom Line
Because the current generation of RFID is a new technology, there have been so many really interesting (but completely erroneous) reports about its use and potential abuse. As a result, misinformation about RFID abounds and has taken on a life of its own. Repeated often enough, misinformation begins to seem like fact.
 
Many allegations about the potential use of RFID include the phrase �it�s possible...� The phrase is widely used both by proponents and opponents of RFID. That phrase, however, is usually a clue that what follows is speculation.
 
It will be up to you, as an educated reader, to analyze news reports � even those from responsible media � to see if the reporter truly understands the technology. At this point, odds are that you know more about it than most reporters do.
 
Dan Mullen is the president of AIM Global. For more information about AIM and RFID, please visit www.rfid.org.
 

Follow