What's Lurking in That RFID Tag?

Gear used to track everything from pickle jars to medicines may be vulnerable to viruses and hackers, say some. The impact of a successful attack would go far beyond your corner store

Computer hackers may have found their next frontier.

A hacker goes into a store, buys a can of soup with an electronic tracking tag glued to the side, and takes it home. There, he attaches a different tag, this one with malicious code. He goes back to the store and lets the item get scanned anew at the cash register. This time, the code jumps from the tag onto the store's computer system, changes product prices and skews sales data, and creates an entrée for an outsider to gain access to the store's internal databases.

This isn't the stuff of hacker lore, says Andrew Tanenbaum, professor of computer science at Vrije Universiteit in Amsterdam. On Mar. 15, he presented a paper outlining why he believes that scenario could very well be played out in so-called radio-frequency identification (RFID) tags that are being used in growing numbers around the world to help companies track shipped items.

Sellers of RFID tags, scanners, and related software were quick to take issue with Tanenbaum's doomsdaying. "It's great in theory, it's almost impossible in practice," says Larry Blue, vice-president and general manager of the RFID tag business at RFID equipment maker Symbol Technologies (SBL). He cites tight security safeguards that are part of the chip's design and related system software (see BW Online, 9/19/05, "Symbol: A Question of Trust").


  But Tanenbaum, known for his operating system design research, says a graduate student of his wrote a virus in about four hours, and that virus worked on the standard RFID equipment set up in his lab. "This is a wake-up call," Tanenbaum says. "Guys, it's time to spend some money [to beef up RFID security]." He addressed his comments to software vendors such as SAP (SAP) and Oracle (ORCL), whose databases are used to store information from RFID systems.

And Tanenbaum is not alone. Other researchers point out weaknesses in a host of RFID gear, from chips placed onto products, to scanners that read the tags and transfer the data onto databases. They fret that RFID-related viruses and hacker attacks could skyrocket in the coming months. "An RFID [chip] is just a small portable computer without a screen and a keyboard that interacts with the world through radio," says Bruce Schneier, CTO at Counterpane Internet Security, a provider of managed security services. "It's possible RFID can't be hacked, but that would be the first time in the history of computing [that a computer was created that can't be hacked]."

If the concerns prove founded, the impact would be felt far beyond the corner grocery store. RFID is used for a range of tasks, from identifying pets to paying for gas, by just about everyone from Wal-Mart (WMT), the world's largest retailer, to the Dept. of Defense. There are hundreds of millions of RFID tags being used worldwide today, and the tally will reach tens of billions within seven years, says Erik Michielsen, an analyst at tech consultancy ABI Research. By then, more RFID chips will in use than all other types of computers -- PCs to cell phones -- combined (see BW Online, 9/12/05, "RFID: Will China Throw a Monkey Wrench?").


  There's a growing financial incentive for would-be RFID hackers, too. RFID tags are increasingly used in credit card payments and other financial transactions. "I do expect it to be a huge problem," says Counterpane's Schneier. MasterCard is introducing a method for so-called contactless payments using RFID technology. PayPass cards, which can be simply tapped on a scanner, are already accepted by 25,000 merchants worldwide. And cell-phone makers like Motorola (MOT) are considering incorporating contactless payments into mainstream mobile phones.

As RFID chips accommodate more complex functions, they become increasingly vulnerable. "As new generations [of computers] come out, usually there are increased complexity and features, [that lead to] increased security problems," says Avi Rubin, professor of computer science and technical director of the Information Security Institute at Johns Hopkins University. "Plus, other industries have shown that every new generation has its own set of security problems."

Rubin and several students broke encryption in a popular RFID system embedded in more than 150 million wireless car keys and over 6 million key chains used to pay for gas, according to a study published last year. To break the code, the investigators linked 16 commercially available microchips, costing less than $200 apiece, and programmed them to look for the security key for a tag owned by one of the researchers. The system cracked the code in 15 minutes.


  Even with recent improvements, most RFID chips remain easy to break, Rubin asserts. One reason: the cheapest and most popular RFID chips don't have a battery; instead, they're powered by the reader when scanned. That limits the amount of encryption that can be placed on a chip, Rubin says.

Lacking their own power source, the chips are also susceptible to so-called power-consumption hacks. Adi Shamir, a professor of computer science at the Weizmann Institute of Science, announced in February that he and a student researcher were able to hack into an RFID tag and extract its kill password, which is a code that effectively makes the tag self-destruct.

The researchers deduced the password by monitoring the tag's power consumption. (It turns out, the tag's power consumption rises when it receives incorrect data from the reader). The researchers uncovered the tag's kill code in three hours. While that tag was dated, more recent iterations, which came on the market in the second half of 2005, could react in similar ways, the researcher says. And a tag can be hacked with a tool as simple as a cell phone.


  To be sure, new chips used for potentially high-value financial transactions have more safeguards. They can be adjusted so that they can be read only from a very short distance of a few inches, for example. That would prevent hackers from reading cards as shoppers pass through a nearby checkout line. They also contain more encryption. (They're also more expensive, at $4 or more per tag, compared with about 20 cents for your average RFID tag.)

And RFID industry defenders point out that the technology is improving at a rapid clip. Already, Gen 2 RFID tags don't broadcast their numbers over the air and can lock their passwords so they can't be written over. And for applications where security is paramount, more expensive and capable tags offer better security. "Safeguards need to be taken on an application-by-application basis," says Julie England, vice-president and general manager of Texas Instruments' (TXN) RFID systems business. Thus, RFID tags marking bottles with medicine might be more secure than those marking paper towels.

Better security is also one of the top issues being tackled by EPCglobal, which is developing industry-wide standards for RFID systems used in the supply chain as it maps out upcoming improvements. "We believe these tags are very secure [already]," says Sue Hutchinson, director of industry adoption for EPCglobal. "But academic papers are often a good reminder for all of us that we need to continue to be vigilant."

Before it's here, it's on the Bloomberg Terminal.