Unlocked RFID Labels Leave Retailers Vulnerable to Hacking

There is no doubt that RFID technology can improve retail operations significantly, but many companies are also unwittingly making themselves very vulnerable with it. Thankfully, the solution is very simple.

A lot of retailers are not locking their RFID labels, and in many cases, they don’t realize this is necessary or even possible. When RFID readers actually “read” RFID labels, the reader collects EPC data from the label’s circuit chip memory. When this data isn’t locked, however, anyone who happens to have an RFID reader and the right software could potentially change the label’s data and corrupt the entire system.

Multiple Opportunities for Hacking

While such tampering probably wouldn’t have a big impact on straightforward cycle counts, those with hands-free implementations could find themselves facing a world of trouble. For example, consider the popular scenario of a retail store using fixed readers with antennas that are integrated into their network to facilitate data collection and systems monitoring. With everything on the same network, a hacker could run a virus to erase or reassign all of the RFID labels in every one of the retailer’s outlets in a very short period of time, thereby canceling all the benefits of the RFID implementation and creating a huge headache.

Another way someone with bad intentions could wreak havoc is by reassigning EPC numbers from cheaper items to more expensive ones, thereby being charged a much lower price for an expensive item at checkout. RFID label reader/writers only cost a few hundred dollars, and it’s easy to see why a thief would consider one a good investment.

The current crop of RFID labels can be locked using one of four states: locked, permanently locked, unlocked, and permanently unlocked. Experts recommend that retailers permanently lock EPC data banks on RFID labels, except under a very specific set of exceptions. If a business decides to skip this step for any reason, they need to be aware of the potential for tampering.

join the supply chain geek network