I can't wait for RFID hacking

Paul C. Anagnostopoulos

Nap, interrupted.
Paul C. Anagnostopoulos
Joined
Aug 3, 2001
Messages
19,141
According to Katherine Albrecht, our every move will soon be tracked using RFID chips:

http://www.amazon.com/gp/product/1595550208/002-7631507-6768815?v=glance&n=283155&v=glance

Ignoring the privacy issues for a moment, I can't wait to start hearing the stories of people hacking these chips and playing pranks on retail stores that use them.

Imagine, for example, that my Barnes & Noble discount card contained an RFID and they tracked me at their store as I move about the place. So I send 10 friends out to purchase B&N discount cards, take them all into one store, and proceed to glue them to movable objects such as book carts or vacuum cleaners. Imagine the fun!

Lead-lined billfolds, anyone?

Can I build a little transmitter that uses the same frequency and protocol as RFID chips? Sure I can.

This is going to be loads of fun.

~~ Paul
 
This topic stuck out, though I don't normally visit this forum. Out of curiousity, could someone fry RFID chips he didn't want with an EMP weak enough not to affect much else? Or is there some other easy method for killing unwanted RFIDs in your stuff?
 
Paul C. Anagnostopoulos said:
According to Katherine Albrecht, our every move will soon be tracked using RFID chips:

http://www.amazon.com/gp/product/1595550208/002-7631507-6768815?v=glance&n=283155&v=glance

Ignoring the privacy issues for a moment, I can't wait to start hearing the stories of people hacking these chips and playing pranks on retail stores that use them.

Imagine, for example, that my Barnes & Noble discount card contained an RFID and they tracked me at their store as I move about the place. So I send 10 friends out to purchase B&N discount cards, take them all into one store, and proceed to glue them to movable objects such as book carts or vacuum cleaners. Imagine the fun!

Lead-lined billfolds, anyone?

Can I build a little transmitter that uses the same frequency and protocol as RFID chips? Sure I can.

This is going to be loads of fun.

~~ Paul
Click to expand...

No kidding!

It’s going to be simple to make say, jamming devices for these things. How about all the RFID chips go down in an entire building because someone hides a little breadboard rig under a ceiling tile. In fact you could probably burn out the receivers with about the same juice that an ordinary FM transceiver puts out.
 
Albrecht acknowledged that a store could disable the RFID chips in their merchandise as you paid for it. However, she thought this would be too expensive and stores wouldn't do it. I'm not sure why it would be any more expensive than disabling the security card that's placed in the items. In fact, you could probably use the RFID as a security card and not bother with separate ones at all.

~~ Paul
 
Could you make an RFID detector that homes in on the RFID chip in a particular item, so you can figure out where it is?

~~ Paul
 
Bronzedog- Put it in a ziploc bag. Put bag in microwave.
30 seconds at ~600W ought to do it. Dont touch the plastic till the chip cools or you'll warp the card.(Or whatever the matrix is). :)


I'm sure Roger Coghill will soon produce a pendant to block RF radiation anyway.
 
Last edited:
RFID chips susceptible to viruses

AMSTERDAM (Reuters) - Cheap radio chips that are replacing the ubiquitous barcode are a threat to privacy and susceptible to computer viruses, scientists at a Dutch university said on Wednesday.

Researchers at the Amsterdam's Free University created a radio frequency identity (RFID) chip infected with a virus to prove that RFID systems are vulnerable despite the extremely low memory capacity on the cheap chips.

The problem is that an infected RFID tag, which is read wirelessly when it passes through a scanning gate, can upset the database that processes the information on the chip, says the study by Melanie Rieback, Bruno Crispo and Andrew Tanenbaum.

"Everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software and certainly not in a malicious way. Unfortunately, they are wrong," the scientists said in a paper.

"An RFID tag can be infected with a virus and this virus can infect the back-end database used by the RFID software. From there it can be easily spread to other RFID tags," they said.

As a result, it is possible that criminals or militants could use an infected RFID tag to upset airline baggage handling systems with potentially devastating consequences, they said.

The same technology could also be used to wreak havoc with the databases used by supermarkets.
Click to expand...

Wonderful.
 
Smaller than a grain of sand?

Anyway, there's one problem with taking out these chips. I have little doubt that a proprietary system will at least be incorporated into computer hardware. Put these chips in a gallon of millk or a sweater, and it doesn't matter if the chip is fried or not. The milk and the sweater still work. However, a piece of hardware could be wired with a little reciever and designed to simply not function unless it detected the RFID tag.

So, to at least some extent, they could force us to simply "deal with it".
 
Paul C. Anagnostopoulos said:
According to Katherine Albrecht, our every move will soon be tracked using RFID chips:
Click to expand...
Not if I wear my tinfoil hat! Take that, G-man!

Let me use my immense psychic power to predict that RFID will be largely used for to improve tracking of shipments and merchandise. There will be a few reports of personal information being compromised and privacy being violated, but these will turn to largely be isolated incidents or mistakes.

Perhaps they'll fluoridate the chips too, to make them extra powerful.
 
It does seem a little extreme to think the things will actually be used for such evil purposes.

So what if they are small? If they are being used, the signal is detectable. The conspiracy crowd should easily be able to scan everything they own to see if it is emitting an RF signal and then they can just fry the thing. I really doubt stores won't have a way to turn it off. How else are they going to avoid the alarms going off when someone leaves the store? They could manually disable it while walking customers out or something, but then that defeats the whole point, because while that alarm is disabled, who knows what stolen goods that customer might be hiding in their pocketses?

I look forward to this because it's a step closer to not having to interact with a single human at the store.

I can only add that while I mention computer hardware can be designed not to function unless it's RFID is broadcasting correctly, I really doubt any hardware manufacturer is actually going to do that (aside from perhaps military installations I suppose). Think of how much people screamed about the Pentium 3 ID tags, combined with how little any company is going to care where their stuff is after someone has already payed for it and one might conclude a business has no motivation at all to keep those things tracking your every movement outside the store.
 
Wives tracking errant husbands who have switched off their GPS phones might be one useful source of revenue.
 
Dark Jaguar said:
I really doubt stores won't have a way to turn it off. How else are they going to avoid the alarms going off when someone leaves the store? They could manually disable it while walking customers out or something, but then that defeats the whole point, because while that alarm is disabled, who knows what stolen goods that customer might be hiding in their pocketses?
Click to expand...
I think the way this would actually work:

I buy a sweater with RFID tag 123456789. At the register, the computer tells the database that 123456789 has been bought, and is no longer in inventory.

When I step out the door, the scanner reads the RFID tag as 123456789, and checks the database. When it sees that 123456789 has been bought, it doesn't go off. But, it finds I've got a pair of socks with RFID tag 010101010 that I didn't have cleared at the register, and is still in the store inventory. THEN it sounds the alarm.
 
Bronze said:
When I step out the door, the scanner reads the RFID tag as 123456789, and checks the database. When it sees that 123456789 has been bought, it doesn't go off. But, it finds I've got a pair of socks with RFID tag 010101010 that I didn't have cleared at the register, and is still in the store inventory. THEN it sounds the alarm.
Click to expand...
Okay, so we need a little device to broadcast RFID 123456789. Then we walk in and out of the store ten times.

~~ Paul
 
Originally Posted by Bronze :
When I step out the door, the scanner reads the RFID tag as 123456789, and checks the database. When it sees that 123456789 has been bought, it doesn't go off. But, it finds I've got a pair of socks with RFID tag 010101010 that I didn't have cleared at the register, and is still in the store inventory. THEN it sounds the alarm.


I hadn't thought of that, but yes it could easily work like that. Problem is, now that ID number is no longer usable. If I buy a shirt and wear it back into the store with that RFID still in place, I had better not be setting off alarms walking back in, so they would have to disable it. It seems a little counter productive to actually assign each item it's own number when only every item TYPE needs it's own number though...

Paul C. Anagnostopoulos said:
Okay, so we need a little device to broadcast RFID 123456789. Then we walk in and out of the store ten times.

~~ Paul
Click to expand...

I'm not sure I understand this. The RFID with the bought item in his model doesn't turn OFF the scanner, it just doesn't set the alarm off. The scanner is still scanning all the other RFIDs you may have and will go off the second it detects something you didn't buy. How does walking in and out 10 times prevent this from happening?
 
BronzeDog said:
I think the way this would actually work:

I buy a sweater with RFID tag 123456789. At the register, the computer tells the database that 123456789 has been bought, and is no longer in inventory.

When I step out the door, the scanner reads the RFID tag as 123456789, and checks the database. When it sees that 123456789 has been bought, it doesn't go off. But, it finds I've got a pair of socks with RFID tag 010101010 that I didn't have cleared at the register, and is still in the store inventory. THEN it sounds the alarm.
Click to expand...

Ok, the next time I walk into the store, after their security database crashes, what happens?
 
Jaguar said:
I'm not sure I understand this. The RFID with the bought item in his model doesn't turn OFF the scanner, it just doesn't set the alarm off. The scanner is still scanning all the other RFIDs you may have and will go off the second it detects something you didn't buy. How does walking in and out 10 times prevent this from happening?
Click to expand...
So it goes off and they nab me. They then check their database and find the item was bought a week ago, by someone else, and it was a pair of socks instead of a weedwhacker.

Even better, walk in and out of different stores.

~~ Paul
 
You must log in or register to reply here.

Back
Top Bottom