A quick review of contents on this RFID tutorial is here:
- RFID to Introduction
- RFID Technology and Architecture
- RFID Standards
- RFID Applications
- RFID Security
- RFID Competing Technologies
Of all the things that radio frequency identification technology was supposed to do for retailers--simplifying inventory management and supply chain issues, for instance--creating a new type of theft wasn't one of them. But that is exactly what could happen, and a German information security consultant can prove it. Consider the following scenario.
A would-be scofflaw heads into a grocery store where all the products have RFID tags on them. Rather than paying $7 for a bottle of shampoo, he'd rather pay $3. To make that happen, he whips out a PDA equipped with an RFID reader and scans the tag on the shampoo. He replaces that information with data from the tag on a $3 carton of milk and uploads it to the shampoo bottle tag. When he reaches the check-out stand--which just happens to be automated--he gets charged $3 instead of $7, with the store's computer systems none the wiser.
Lukas Grunwald, the German consultant, says this is not only possible, he's done it. That is, he's changed the information on the RFID tag. He didn't actually steal anything. To prove his point and let others learn about RFID tag security, he's created a free software program called RFDump that is the result of a few years of research into RFID. He presented his findings and announced the release of the software at the Black Hat Security Briefings conference in Las Vegas today.
"There is a huge danger to customers using this technology, if they don't think about security," Grunwald says.
This kind of disclosure--complete with a software release that could potentially be misused--is not unusual for Black Hat, a gathering where IT security pros talk frankly about the latest in computer security problems and how to solve them. But don't put your Luddite hat back on just yet.
Companies like Wal-Mart Stores (nyse: WMT - news - people ) and Target (nyse: TGT - news - people ) are slowly embracing RFID as the next great boost to their supply chains. But they, like most companies, aren't yet tagging individual items, which is what Grunwald hacked at a store belonging to the Metro retail chain. Instead, they are putting RFID tags only on large cases and shipping pallets until the cost of item-level tagging comes down. A Wal-Mart spokesman says there is no price information on its pallet tags.
Albrecht Truchsess, a spokesman for Metro, says the company is now creating item-level tags for three products: cream cheese from Kraft Foods (nyse: KFT - news - people ), Pantene Shampoo from Procter & Gamble (nyse: PG - news - people ) and razor blades from Gillette (nyse: G - news - people ). He also says that since the tags are being tested only at Metro's Future Store, a demonstration project bringing together several new retail technologies, their security isn't strong by design.
"What we're doing in the Future Store is using the RFID tags for smart-shelf applications," says Truchsess, referring to shelves that track what has been placed on them. "And the sort of tags we're using are very basic. It's really just a test right now."
Metro expects it will take ten years or more before all store items have their own RFID tags on a regular basis. "The ones we're using now cost about 30 or 40 cents each," says Truchsess. "More secure tags are too expensive right now."
Pete Abell, an RFID consultant at Boston-based EPCGroup, says that as stores adopt the technology beyond the test phase, any shopper who brought his own RFID reader into a store would likely be detected. Secondly, he says, tags on products would be programmed to respond only to authorized readers. Finally, he says, the industry is working on stronger encryption than what is available now. "Currently there's only 8-bit encryption available, and that is pretty easy to get around," he says. "And in this case I doubt even that was in place."
Introduction to RFID
Radio frequency identification (RFID) is a general term that is used to describe a system that transmits the identity (in the form of a unique serial number) of an object wirelessly, using radio waves.
RFID technologies are grouped under the more generic Automatic Identification(Auto ID) technologies.
The barcode labels that triggered a revolution in identification systems long time ago, are inadequate in an increasing number of cases. They are cheap but the stumbling block is their low storage capacity and the fact that they cannot be reprogrammed.
A feasible solution was putting the data on silicon chips. The ideal situation is contactless transfer of data between the data carrying device and its reader. The power required to operate the electronic data carrying device would also be transferred from the reader using contactless technology. These procedures give RFID its name.
One grand commercial vision for RFID is to change the way demand-supply chain moves. In the current almost stone-age scenario, manufacturer produces goods based on forecasts and hopes all of them will be consumed before the shelf life gets them. Good, if the market is consistent. Horrible, if a sudden surge makes the supply fall short and hence everyone in the chain miss on profits. Disastrous, if demand dies suddenly and losses are passed along the chain.
In a not so distant future, RFID enabled stores will monitor the consumption in real time. Shelf will signal the inventory when it needs more stuff and inventory will pull supplies from the manufacturer based on its level of stock.
Simple concept, not-so-difficult implementation and revolutionary results in the pipeline. Thats RFID, in short.