During World War II, the British placed radio transponders in Allied aircraft to help early radar system crews detect “good” guys from “bad” guys. The first chips were developed in research laboratories in the 1960s, and by the next decade the U.S. government was using tags to electronically authorize trucks coming into Los Alamos National Laboratory and other secure installations. Commercialized chips became widely manufactured and available in the 1980s, and RFID tags were used to track difficult-to-manage property like farm animals and railroad cars, and so on. But over the last few years, the market for RFIDs has exploded, driven by advances in computer databases and supported by declining chip prices. Now a number of companies, from Motorola to Philips to Texas Instruments, manufacture the chips.³

The tags work by broadcasting a few bits of information to specialized electronic readers. Most commercial RFID tags are passive emitters and have no onboard battery:⁴ these tags get activated by the reader power. Once activated, these chips broadcast their signal indiscriminately within a certain range, usually a few inches to a few feet. However, active RFID tags with internal power can send signals to hundreds of feet; these are deployed in the automatic toll-paying devices (with names like FasTrak and E-ZPass) that sit on car dashboards, pinging tollgates as autos whiz through.

For protection of information, RFID signals can be encrypted using suitable algorithms. The chips that are used for applications like passports, for example, will likely be coded/encrypted to make it difficult for unauthorized readers to retrieve their onboard information (which will include a person’s name, age, nationality, and photo and other sensitive information). But then, most of the commercial RFID tags do not include security as it is very expensive.

This leaves most RFIDs vulnerable to cloning and data tampering, if the RFID chip has a writable memory area. RFID chips that are used to track product shipments or expensive equipment, for example, often contain pricing and item information. These writable areas can be locked, but often they are ignored, either because the companies using RFIDs do not know the working of the chips, or the data fields need to be updated frequently. Either way, these chips are open to hacking or tampering of data.

The world of RFID is like the Internet in its early stages. No one had thought about building security features into the Internet in its early stages, and now we are paying for it in viruses and other attacks by adversaries. The same thing is also true of RFIDs (Figure 26.2).

Hacking of RFID chips is very easy. One can steal the smart card, lift someone’s passport, jack someone’s car, and even clone the chip embedded in an arm. There are so many accounts of how RFID has been hacked and one such case is shown in Figure 26.3.^5,6

A wealthy software entrepreneur, James Van Bokkelen, was victimized by a hacker with a laptop. This was not an e-mail scam or bank account hack but something different. An adversary planned to use a cheap, homemade USB device to swipe the office key out of Van Bokkelen’s back pocket. He simply got his hand within a few inches of him. As Van Bokkelen approached from the parking lot, the adversary brushed past him. A coil of copper wire flashed briefly in the hacker’s palm, then disappeared.

The coil was an antenna for the wallet-sized device known as a cloner, which was concealed up his sleeve. This cloner can elicit, record, and mimic signals from smart card RFID chips. The hacker connected the device to his laptop with a USB cable and downloaded the data from Van Bokkelen’s card for processing. Then, once he retrieved the code, the hacker switched the cloner from Record mode to Emit. He headed toward the locked door and waved the cloner’s antenna in front of a black box attached to the wall. The single red LED blinked green. The lock clicked, and he walked in. Thus, we see how a robbery can be committed by exploiting the information present on an RFID chip. It was so simple and anybody could have very easily walked off with tens of thousands of dollars’ worth of computer equipment, and possibly source code worth even more.

In a library, destroying the data on the books’ passive-emitting RFID tags is possible by wandering the aisles with an off-the-shelf RFID reader–writer and a laptop. These tags store several writable memory “pages” that store the books’ bar codes and loan status, and other information. The RFID-enabled checkout is indeed quite convenient. As the hacker leaves the library, he stops at a desk equipped with a monitor, and shows the books one at a time face up on a metal plate. The titles instantly appear on-screen. A person can borrow four books in less than a minute without bothering the librarian. In one case, a student took the books to his office, where he used a commercially available reader to scan the data from their RFID tags. The reader fed the data to his computer, which was running software that the student had ordered from RFID-maker, Tagsys. As he waved the reader over a book’s spine, ID numbers popped up on his monitor. He then found an empty page in the RFID’s memory and typed “AB.” When he scanned the book again, he saw the bar code with the letters “AB” next to it. This happened because of the Oakland library’s failure to lock the writable area. One could even erase the bar codes and then lock the tags. And then the library would have to replace the books.

On the other hand, unlocking the library’s tags makes it easier for libraries to change the data in future.

The Future Store in Rheinberg, Germany is the world’s preeminent test bed of RFID-based retail shopping. All the items in this high-tech supermarket have embedded RFID price tags, which allow the store and individual product manufacturers—for example, Gillette, Kraft, and Procter & Gamble—to gather near real-time feedback on what is bought. In July 2004, Wired hailed the store as the “supermarket of the future.” A few months later, German security expert Lukas Grunwald hacked the chips and showed the vulnerability of RFID chips.

Grunwald co-wrote a program called RFDump, which allows access and alters price chips using a PDA (with an RFID reader) and a PC card antenna. With the permission of the store owner, he and his colleagues strolled the aisles, downloading information from hundreds of sensors. They demonstrated how easily they could upload data from one chip onto another. He also showed how he could download the price of a cheap wine into RFDump and then cut and paste it onto ...