Recognize the Lies about RFID

Ah, sweet September. Time to start thinking about all those upcoming autumn chores — like gearing up for all the AIDC trade shows and seminars and getting ready to deal with the piles of marketing hype from vendors and dubious information from naive mainstream media types.

There's a joke that went around in the 1980s when PCs were the "hot" item:

Q: "What's the difference between a used car salesman and a PC salesman?"

A: "The used car salesman knows when he's lying to you." This is still true when it comes to some technology today — especially RFID.

According to the great English playwright George Bernard Shaw, you should "Beware of false knowledge; it is more dangerous than ignorance."

This is certainly true when reading technology news — either from vendors or the mainstream media.

RFID is at a point where everyone seems to know about it (and feel they have to write about it) but not enough people really understand it — what it is, how varied the product types are, what it can do and what it can't do. At this point, you probably know more about RFID than many of the so-called authorities cited by many of these news articles.

That would be a scary thought except for the fact that you're reading this column (and subscribe to MHM) to get the real story about AIDC technology.

Still, you have to keep on your toes to be able to differentiate news that is really "news" from stories that just make good headlines.

Here's a case in point:

Recent media reports about the Black-Hat security event in Las Vegas have made a great deal about "RFID hacker software" developed by a German consultant (RFIDump) that can read the data from RFID tags — and even change it. This, he claims, poses real dangers to retailers who want to use RFID.

This is not just theoretical, he says, he's actually done it (replaced data on an RFID tag). Given this capability, he says, customers could easily change the data on a tag at a retail store and essentially "rob" the store by paying far less than what they're supposed to pay for their purchase.

Reporters from many reputable publications (print and electronic) jumped on this "threat to retailers" and pretty much swallowed the story whole.

One article posited the following scenario: a shopper replaces the data on the RFID tag on a $7 bottle of shampoo with data from a $3 bottle of milk, then goes through an automated checkout scanner — and the store's computer system would be none the wiser.

Gasp!


This is something we really need to worry about, right? Sure, if you ignore all the inconvenient facts.

Stop and think — get in the habit of doing this, you'll need it — what kind of tags will be on products at retail (if and when that happens)? Read/write tags? Or WORM (write once, read many) tags?

Which are cheaper? Why, WORM tags are. And which would manufacturers put on products such as bottles of shampoo? Expensive tags or less expensive tags? Why, less expensive tags, of course.

So, if products are going to have WORM tags on them, how exactly are you going to change data on a read-only tag?

Oh. You can't. It's like having a CD-RW drive in your computer but a read-only CD.

Hmmmm.

OK, then, how about the claim that this "hacker software" is capable of reading data from any RFID tag and even replacing it with other data?

Stop and think again. If these are read/write tags, aren't you supposed to be able to ... well ... read them and write to them? In other words, he's claiming to have developed software to make read/write tags do exactly what they're supposed to.

Oh, my!

Yes, there are security issues with using RFID read/write tags. Yes, basic encryption should be used. And, yes, systems need to be put in place to ensure the integrity of data on a tag.

But the biggest threat we face today may be bad information from well-meaning sources.

So, keep on your toes. And when you read articles on either how great or how dangerous technology is, stop and think. Often.


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish