Shoplifting and… chaos attacks

Today's RFID tags include a fixed (read-only) omnidirectional identifier plus some rewritable memory. As explained in our discussion of the fourth law, the omnidirectional identifier means any party can obtain the identifier and collaborate with other parties about it. This means it is suitable for identifying public entities. Industry spokesmen have said the range of the tags is a maximum of 15 feet.

Tags are smaller than a nickel (basically the size of a drop of crazy-glue) and cost less too. They are already being added to packaging by retailers to keep track of inventory. But recently FutureSalon sent me to a piece by's Robert Lemos about a security expert demonstrating how easily the tags “could be abused by hackers and tech-savvy shoplifters”. The expert, Lukas Grunwald, also said:

“While the technology mostly threatens consumer privacy, it could allow thieves to fool merchants by changing the identity of goods… This is a huge risk for companies, It opens a whole new area for shoplifting as well as chaos attacks...”

When RFID technology was evolving, expensive RFID reader hardware and hard-to-use software hindered security research. But in July, Mr. Grunwald announced a software tool called RFDump that can be used to read and reprogram radio tags. The software is available here.

Writer Robert Lemos pointed out:

“When such tools become widely available, hackers and those with less pure motives could use a handheld device and the software to mark expensive goods as cheaper items and walk out through self checkout. Underage hackers could attempt to bypass age restrictions on alcoholic drinks and adult movies, and pranksters could create confusion by randomly swapping tags, requiring that a store do manual inventory.”

It seems to me that users of RFID can get around some of these problems just by signing the writable data – implying the need to store a little extra data on the chip. This isn't hard since the signatures don't need to be calculated or understood by the tags or readers – only by the application software using the information. Further, the size penalty in bytes depends on how hard you want to make it to crack the signature. You don't need a scheme that costs a billion dollars to crack when protecting the RFID tag on a one dollar razor blade. You just need a scheme that costs at least a dollar per crack. And that isn't very many extra bytes.

Even the chaos attacks can be countered by storing data about the objects in a database where RFID fixed identifiers serve as lookup keys, rather than in writable memory on the tag. And finally, one summer's day when Moore's law has had more time to beautify the planet, RFIDs will be able to support unidirectional identifiers – they will just become invisible to the unauthorized.

Meanwhile, I was looking for the reader supported by RFDump and came across another related product. Guess what? Kiss the 15 foot range concept goodbye:

“Scanpak's RFID Kit contains a new wave of readers and tags developed using active technology. The readers, with a reading range of up to 200 meters, are the most advanced of their kind in the market today. The tags are available with an additional sensor output (light, pressure, temperature, weight). For more info, click here.”

Gee, does that mean a hacker can reprogram an entire shopping center from her seat in the Food Court? How will even the strongest of us ward off the temptation to “bring about” a 100% reduction in outfits by Comme des Garcons?

How do RFIDs relate to the laws?

Clearly the owner of an item has the right to deem it to be “public” – and to track it with an omnidirectional identifier. The question people are asking is, “What happens when it is sold?”. Everyone agrees that the new owner acquires the right to control the identifier. The point in public debate is whether it is incumbant on a retail seller to disable such identifiers at check-out time.

Applying our laws, when an RF tag comes into the possession of an individual user, it becomes an identifier for that user, and thus must not be released without the user's explicit consent (the first law of identity). That means it needs to be disabled unless the user explicitly approves its continued use. Further, the fourth law implies the user must be made aware this kind of identitifier can be detected by any interested party within… 200 meters.

A Global RFID Identity Infrastructure

For those, like me, who only check in on RFID from time to time, some relatively new documents are available at EBC Global Inc., which has now replaced Auto-ID Center. EBC Global is responsible for the Global Data Synchronization Network and the EBC Global Network. The former is a kind of UDDI for classes of things that get RFIDs slapped onto them. The latter is a world-wide object tracking network of practically unlimited scale:

The EPCglobal Network is the method for using RFID technology in the global supply chain by using inexpensive RFID tags and readers to pass EPCs, and then leveraging the Internet to access large amounts of associated information that can be shared among authorized users. To capture data, EPC tags carrying unique EPCs are affixed to containers, pallets, cases and/or individual units. Then, strategically placed EPC readers at gateways throughout the supply chain will read each tag as it passes and communicate the EPC and the time, date and location of the read to the network. EPC Middleware will control and integrate the EPC tags, readers and local infrastructure at the individual site.

Once the information is captured as described above, the EPCglobal Network then utilizes Internet technology to create a network for sharing that information among authorized trading partners in the global supply chain. Similar to Internet technology, the Object Naming Service (ONS) within the Discovery Services serves as White Pages that convert the EPC to a URL, which is then used to point local computers to where information associated with that EPC can be found. From there, actual access to data in the EPCglobal Network is managed at the local level by the EPC Information Services (EPC IS) where the company itself designates which trading partners have access to its information. The result will be a network of information that provides a history of individual product movement in real time.

*NOTE: Most EPC tags will pass only the EPC number to the reader. However, the potential value of more complicated tags with additional functionality justifies their increased cost in certain industries. For example, the food industry may want to add temperature tracking by adding a temperature sensor on tags. If a temperature sensor was added, the current temperature could also be passed to the reader when the tag was read.

In other words, we are looking at an identity system for objects which itself requires an identity system for domains which have owned, or now own the objects. This latter system (and probably the former) should integrate with the unifying identity system being discussed in this blog.

Gee. Do we still have some work to do or what?

Published by

Kim Cameron

Work on identity.