RFID tags

Sun Aug 8 16:39:32 CEST 2004

REPLY TO: D66 at nic.surfnet.nl

Mark Giebels wrote:

> REPLY TO: D66 at nic.surfnet.nl
>>From: Bart Meerdink

>>In ieder geval zullen de tags niet meer moeten reageren op scanners
>>nadat ze hun functie hebben vervuld.
>
> Maar wanneer is hun functie vervuld? Welke data en datakoppelingen staan
> we toe? Wie is eigenaar van de data? Wie heeft toegang? Waar en hoelang
> mag het worden opgeslagen? Dat zijn de relevante vragen. Naast de
> functionaliteiten van de chip zelf die gereguleerd moet worden, is
> vooral ook het informatiebeheer en management eromheen van enorm belang.
> Ik ben een techneut en vind dit allemaal dus prachtig, maar het kan ook
> gemakkelijk tot een flinke aantasting van onze privacy leiden. En ik
> weet niet of het zo verstandig is om in het huidige klimaat die
> politieke keuzes maar aan de VS over te laten.. Alhoewel, Nederland
> heeft nou niet bepaald een goede track-record wat betreft privacy, dus
> veel kunnen we van Nederland ook niet verwachten.

http://www.forbes.com/business/commerce/2004/07/29/cx_ah_0729rfid.html
Forbes.com: A Hacker's Guide To RFID
"
Retail
A Hacker's Guide To RFID
Arik Hesseldahl, 07.29.04, 2:49 PM ET

Of all the things that radio frequency identification
technology was supposed to do for retailers--simplifying
inventory management and supply chain issues, for
instance--creating a new type of theft wasn't one of them.
But that is exactly what could happen, and a German
information security consultant can prove it. Consider the
following scenario.

A would-be scofflaw heads into a grocery store where all the
products have RFID tags on them. Rather than paying $7 for a
bottle of shampoo, he'd rather pay $3. To make that happen,
he whips out a PDA equipped with an RFID reader and scans
the tag on the shampoo. He replaces that information with
data from the tag on a $3 carton of milk and uploads it to
the shampoo bottle tag. When he reaches the check-out
stand--which just happens to be automated--he gets charged
$3 instead of $7, with the store's computer systems none the
wiser.

Lukas Grunwald, the German consultant, says this is not only
possible, he's done it. That is, he's changed the
information on the RFID tag. He didn't actually steal
anything. To prove his point and let others learn about RFID
tag security, he's created a free software program called
RFDump that is the result of a few years of research into
RFID. He presented his findings and announced the release of
the software at the Black Hat Security Briefings conference
in Las Vegas today.

"There is a huge danger to customers using this technology,
if they don't think about security," Grunwald says.

This kind of disclosure--complete with a software release
that could potentially be misused--is not unusual for Black
Hat, a gathering where IT security pros talk frankly about
the latest in computer security problems and how to solve
them. But don't put your Luddite hat back on just yet.

Companies like Wal-Mart Stores (nyse: WMT - news - people )
and Target (nyse: TGT - news - people ) are slowly embracing
RFID as the next great boost to their supply chains. But
they, like most companies, aren't yet tagging individual
items, which is what Grunwald hacked at a store belonging to
the Metro retail chain. Instead, they are putting RFID tags
only on large cases and shipping pallets until the cost of
item-level tagging comes down. A Wal-Mart spokesman says
there is no price information on its pallet tags.

Albrecht Truchsess, a spokesman for Metro, says the company
is now creating item-level tags for three products: cream
cheese from Kraft Foods (nyse: KFT - news - people ),
Pantene Shampoo from Procter & Gamble (nyse: PG - news -
people ) and razor blades from Gillette (nyse: G - news -
people ). He also says that since the tags are being tested
only at Metro's Future Store, a demonstration project
bringing together several new retail technologies, their
security isn't strong by design.

"What we're doing in the Future Store is using the RFID tags
for smart-shelf applications," says Truchsess, referring to
shelves that track what has been placed on them. "And the
sort of tags we're using are very basic. It's really just a
test right now."

Metro expects it will take ten years or more before all
store items have their own RFID tags on a regular basis.
"The ones we're using now cost about 30 or 40 cents each,"
says Truchsess. "More secure tags are too expensive right now."

Pete Abell, an RFID consultant at Boston-based EPCGroup,
says that as stores adopt the technology beyond the test
phase, any shopper who brought his own RFID reader into a
store would likely be detected. Secondly, he says, tags on
products would be programmed to respond only to authorized
readers. Finally, he says, the industry is working on
stronger encryption than what is available now. "Currently
there's only 8-bit encryption available, and that is pretty
easy to get around," he says. "And in this case I doubt even
that was in place."
"

 > Maar goed, mede daarom heeft D66 ook nog steeds
 > bestaansrecht.

Gelukkig maar. :)

Henk Elegeert

**********
Dit bericht is verzonden via de informele D66 discussielijst (D66 at nic.surfnet.nl).
Aanmelden: stuur een email naar LISTSERV at nic.surfnet.nl met in het tekstveld alleen: SUBSCRIBE D66 uwvoornaam uwachternaam
Afmelden: stuur een email naar LISTSERV at nic.surfnet.nl met in het tekstveld alleen: SIGNOFF D66
Het on-line archief is te vinden op: http://listserv.surfnet.nl/archives/d66.html
**********