 We have smart labels, what is EPC? And after this smart and fast fact to this technology, we are going to the labels. We are demonstrating a little bit about how to exploit them, how to have fun with them. And we are speaking a little bit about the Meet for Future store, the first R3D store in Europe. What is R3D? It's cheap. It's easy. It's radio frequency identification. It's a mechanism to get an identification from remote. It can be your remote control for your crash. It can be an access control system for a room, a cage, and a factory that produce goods, or it's a development process, or it can be an electronic product code that's attached to a raw product, or a package, or a package size at the supermarket. What are the typical frequencies for RFID? One of the major problems by detecting and writing our tool are the different types of RFID, the different encodings, different protocols. And there's a wide branch of frequencies they're used for RFID. We are demonstrating a special frequency area. It's a 13.553 kilohertz, 15 gigahertz. Tags are used at smart labels. These smart labels are a special application of RFID. Smart labels are RFID ships that hold the EPC, the electronic product code. The electronic product code is an international unique number by the manufacturer. And these labels have a small microchip. This microchip has communication capabilities, but no direct battery. All these labels have the ability to make mobile communication with an RFID reader. I've installed here one of these readers at my notebooks. And let's have a quick and fast look to the EPC code. The EPC type 1 code is introduced by an 8-bit header followed by an EPC manager. Normally, the EPC manager is a type of database that points where the products and product classes are stored. Followed by an object class that can be, if you compare it to a DNS system on the internet, something like the host address. At the EPC world, it's a type of product followed by the unique serial number. So all these ISO smart labels operate on the ISM frequency as shown at 13.56 megahertz. What type of variants are available at these frequencies and what type of labels are typically used at consumer products at supermarkets? And what labels will you find tomorrow in some consumer products? There are the standardized ISO tags. We have some ISO 14443 and type A and type B. There are proprietary label types like Taggert and iCode. What are the typical features? What have all these tags in common? First, they have no battery. They consume all the power to operate directly from the RFID field. Second, they store all information non-encrypted in clear text directly on the eProm. They have memory pages. And all these labels have no read protection. That means you have clear text information stored on the labels and you have no read protection. You can imagine what's possible with this stuff. Some have very special type of write protection. The serial number is mostly fixed. The user data is flexible. And to make it easy for us, they support more than 1,000 write cycles. Labels are used at different kinds at the delivery and supply chain to optimize this supply chain. First example that can give you an easy integration at a product plant where are my products, where are my boxes, where are my boxes at my production process. They enable at the plant the tracking of boxes and goods. You can source very easy boxes and packages. You can use them to optimize your production chain for just in time production. And some labels have a very, very interesting feature. They are able to track the temperature for sensitive goods like medicine or with a cargo. There are two ways to store information. The first way is you are going to use a data center, a database. All these labels have a unique serial number. And the serial number points as a primary key to a central database. Another way is to use the eProm to use the capability of the label to store the information directly at the label. If you look for some demo applications in the field at stores, at the point of sales, very often you find a combination of both approaches. Some information, for example, expiration date or tracking information or the information about maximum temperature is directly stored at the label. Some information actually using for a check out, for a fast check out process is stored in a central database. What are applications as smart labels are already in use at this moment? There are some projects like the FDA, Guardians, announced the marginalization of all medical packages of all medical stuff for the most packages and pallets that like to be counterfeit. This product has started in, or it started at 2005. At this timeline you see, at the end of 2007, all manufacturer's products has to put our FID ships directly into their products and the wholesalers, the chain drugstores, the hospitals, and the most retailers, special cases embedded with FID ships for your medicine. For demonstration, I have here one of these packages for further demonstration of FID label embedded. Already the state of Florida has started to use FID for pedigree for all. This product is running since 2003. You know why the state of Florida? Because the most old curses that consume the most are a little bit more concerned about this stuff. And the state of Florida do require the pedigree for all medicine, for all drugs and sex, use RFID technology. If you're interested in this case, just go to the MIT Auto ID labs. The source are from Robin Co. Here. Also, Walmart has already started at June 2004, RFID tracking for all Class II drugs. Class II drugs are really dangerous drugs. They are very interesting for drug additives and stuff like that. Also, RFID labels in Europe, the Gillette company has a very big problem. They are going to lose more than 35% of all their products from the plant to the shelf at the store. They are not shoplifted at the store. They are just disappear on the way to the store. So the problem is, everyone knows Gillette company. They have very small products, this small light razor blades, but they are very expensive. So the most products from the Gillette company are going to be identified and the most products are going to be enhanced with RFID techs inside of this product. There was a really problem in UK, some stores used an RFID sensor to detect if one of the customers takes more than three packages of Gillette razor blades. If you get it, the customer gets a free photo and gets expected for shoplifting. Also, they have a very nice application. It calls the Metro Future Store. They use this RFID technology and a lot of other technologies to test how stores, how supermarkets will look in the near future. But more later to this topic, we had a very nice trip through one of these future stores. The next big user of RFID is the main library of Vienna. They used more, they used nearly 35,000 texts on books, DVDs, and CD-ROMs. The problem is they are storing directly on the label, the ISBN number, the author, the title of this book, and the last date of rent. So very interesting for someone who is interested what type of books is one of the guests of this main library reading. Also, the European government has a project using the RFID ships to store the IDs, the ID numbers, and the biometric datas of the passport holder directly at an RFID ship embedded in the cover of the passport. The aim is, with this RFID ship, you can make something like easy check-in or easy pass through the border control through the immigration, only using your passport and putting your fingers or your face on the biometric sensor. Not only in food and government are these ships used. Some clothes companies are using RFID texts. They are putting these texts on normal clothing texts. For example, get incorporated in the US. Cowhoof in Germany, I don't think someone knows this company here, and benefit from Italy. There are also pilot projects to using texts that can be directly woven into the fabric. So you can't remove this text anymore from your clothes and they're embedded. It's no problem at all. This texts are not able to disarm. You can't destroy this text if you wash this about 1,000 cycles. So if you want to burn your clothes, you can destroy the label. I'm coming later to this topic. We have a very nice solution. There are different types of benefits. If someone tries to use this smart label to the point of sale, you have something it's called auto inventory. So you don't need to make an inventory. You can make it instantly if you use this technology. Also there's this called benefit, detect misplaced product at the shelf. So if someone puts a misplaced product back into the shelf, the shop computer will detect it and alert someone. You can imagine what's possible. This is a nice feature. Also, the clerk at the shop gets alerted if some goods expired or will be expired in the near future. It's also possible to track the behavior of the customer directly at the shop. The customer is able to make an auto checkout. He just only puts the goods into his shopping bag and goes through and called RFID gate. This gate is in fact a huge amount of RFID reader to detect every label, every tag that's put in the shopping bag and counted. And if the register is an RFID gate, you only need to use your credit card or there are already some RFID customer cards. So you can just make a quick checkout by leaving the store. So let's have a look to the brave new supply chain. First, at the production time, the RFID label is placed directly onto the product. Each product is registered inside its package if it leaves the factory. At this moment, only at this moment, the EPC, the electronic product code is directly written into the tax. If the customer or reseller orders the product, the pallets are tracked at the delivery. At the reseller sites, the new goods are directly registered upon arrival. Temperature and expiration date can be checked at delivery time. And if the max temperature has been expired, products get instantly trashed. Upon arrival at the store, all products are entering directly at the store and registered at the entrance gate. So if a customer takes a real-time package, the RFID reader at the shelf detects it. So if the shelf runs out of products or detects a fault or a third product that can escalate this to the clerk at the shop, if the customer leaves the shop, the register reads the RFID from inside to customer shopping bag. So fast checkout out, fast self-check out and shoplift prevention at the same time. And there are also some who tells you there could be some benefits for the customer. For example, the intelligent rich. Every time someone tries to, wants to convince you about new technology, they have to make new nice electronic toys. So there's something called management of exploration of goods. Something you got a mail or a phone call from your fridge. Hey, dude, you'll be as about to expire. Just drink me. All the intelligent washing machine. So it's the answer to your question. There are plans to put directly labels into every type of your clothes and your washing machine won't start anymore if someone puts the red socks between your white undies. So something like a deadlock of your washing machine or the washing machine tries to automatically choose the correct program. Let's have a small look about the myths and the facts about RFID. There are some very deep myths so that RFID ships have the size of a pin and can be embedded to every product. After this talk, a small text here, if you like, you can see the problem is the RFID ship needs the power from an antenna and needs the antenna to communicate with the reader directly at the field. This metal and some shielding, you can block the field at all. And you also need this antenna to connect this. Unfortunately, this antenna needs about some physical behavior, some size, so you can't make it in size at a small, very small pin. You can look at this label here. I have put some transparent labels here. You can see the solitium ship and you can see the antenna. But don't touch it and don't steal it. The next myth is RFID ships can be read from a huge distance. This absolutely not true. You must be directly at this powered field to read the ship we are the antenna. We have made some tests at our lab and we found maximum distance with a huge gate. I'm going to demonstrate and showing the picture of one of these gates, 10 meters. After 10 meters, it's gone. So what is the really nice thing for a hacker if you have an employed RFID technology? It's public information. This text can be read by everyone. You also need some type of RFID reader. I fear and call it multi-tech reader. It's able to read all text at this demonstrated frequency. You need an antenna or a gate to build this electrical field. Of course, you need text. This can be embedded in some close, something like your new jeans from Gap. You need a PC or a laptop to process this information from the reader and the most important thing you need our tool to process this information and to manipulate them. So how does one of these RFID gates looks like? You see, here are two lights, a red and a green one. If a pallet goes through this RFID gate, these square boxes, these white boxes are the directly readers and the antennas and the black box at the top is an industrial PC to process the information and transmit it over an ethernet port. These gates can be placed at everywhere. They can be at the entrance, at the exit door. They can be also embedded directly into the shelf. And just imagine, someone can put these gates on a traffic light or under his entrance at his own store and stuff like that. So let's have a small look directly to this ISO 15693 text. Each text has a unique identifier called UID. This UID is needed for the complete anti-collision algorithm. So if you have more than one tag directly at a field, like if you have a big box with 2,000 retail packages, you have 2,000 tags directly at the field. So you need a mechanism to make an anti-collision to get each tag separately. This UID is programmed directly at the factory and can't be changed. Additionally, you have memory directly at this tag and this memory is partitioned into two blocks. You have an administrative block. This administrative blocks holds UID for the anti-collision and an application family identifier called AFI. Also, a data storage format identifier. So if you don't know the format, you can read it directly from the administrative block and you are able to store user data up to 128 bytes per assistant. The UID looks, or the administrative block looks like this. Oh, sorry, this is the UID block. You have this unique serial number followed by the manufacturer ID and ended with a E0 hex as end of this serial number. As manufacturer ID as ISO standard, you have at this moment a few companies, but you see it's a byte, it's still extensible. Now, let's have a small look to the memory organization directly off the tag. We have here the pages starting at zero and going maximum to FF hex. These pages hold the user data blocks. So what does IF dump? It's this very small tool written by Boas Wolf and me. This tool enables you to detect nearly all type of smart labels. Unfortunately, at this moment it requires an ARFID reader. This reader is a compact flash reader and can also be put on a mobile device like an PDA. So if you come with a notebook and visiting a supermarket and holding this notebook on this size into the shelf, it will be a little bit suspected. But if you have a PDA and just running a small cart and someone said, what are you doing, man? Oh, this is my shopping list. So just leave me alone. The big benefit is this tool is GPL software, it's free software. You can just go to our home page, get the source code, enhance it, fix bugs and just send me the patches. You're welcome. So let's have a small look to this tool. I'm just starting the tool. I feel a couple of tags. So if I put one of these tags into the area of this field, I think it should be this size. The reader starts to detecting the page. He is reading the tag with his contents and you have a hex and an ASCII editor. The administrative block is decoded at the top. You see here the tag ID, the unique number for anti-collision. You have the type of tag, the manufacturer ID and you are able to manipulate it. You can use a hex editor and you write back to the label and you have a really nice feature I'm going to demonstrate this later. I call it real life cookie. So, you know a lot of persons are concerned about privacy using RFID. A commercial company called ASA Security. I think a lot of you guys know this company had announced at the CBIT 2004 demonstration it called the block attack. This attack was set blocks all requests. So I went to the show and I organized one of this show samples. They are demonstrating. The demonstration was something like a box of drugs. They put this box of drugs into a field and the name of the customer appears in this box. Then they have this nice, they call it privacy bag. They put the box of drugs into this privacy bag and oh, it's only displayed blocked. So no customer information are available. Or they had a nice press announcement and it says this special block attack embedded into this privacy bag will demonstrate and will send all possible UIDs so to keep the customer's privacy and to prevent reading the original RFID ship in this privacy bag. So let's verify with our new tool what they are doing. First I put this medicine box into the field and what's happened after a second of reading. Oh, it's only zeros. So and the interesting fact is this attack is not right protected. You can manipulate it and put anything like changing aspirin to something else also. So after this demonstration, let's put this nice privacy tag of privacy bag with block attack into our field and what's happening. After reading the field. Oh, wonder, just another TI tag. Nothing blocked, only one UID. So what has our security done at CBIT? They just made a fake demonstration. All sort of privacy is done by fake software. If both tags appears at the field, the ASA demo application makes a ruling compression if tag one and tag two appears at the same time or we just display blocked. In fact, all customer information is still accessible and can be used by an attacker or by some type of spy. So what's possible with this technology? At this moment, the most smart labels are not quite protected. Unfortunately, the UID and the administrative block can't store the EPC. So the EPC must be stored at the user data fields. Metadata, like best before, are mostly also stored at the user data fields. And it's only matter of time until everyone will be at least one RFID tag at his clothes, at the shopping bag or something else. There's a lot of problems. Gates, not bill gates, this RFID reading gates can be installed anywhere. One nice thing is competitors can read, for example, the type of undies you wear and what else you have in your shopping bag. The browser can read what type of books you read. And together with a passport or a customer card is an RFID ship. This technology is even a bigger risk. So they get the type of undies, what book you read and who you are. One nice feature for Big Brother is the customized bracelet for everyone. You have also some pollution problems with our environment. If just imagine if every retail package has an RFID ship, there will be a lot of pollution issue. Dumpster diving will be a new quality. Just put an RFID reader into the trash can and you can see everything what he bought. Also the transponders or text-saves contain some harmful substances. And there are some voices I don't believe it, but I think I have to notice it. Non-ionic valuation, there are some voices that say it could be unhealthy. We have also a technology problem. So we are making a dependency on a new technology and introducing new risks. RFID attackers or attacks to RFID infrastructure can push companies out of business and new possible break for terrorists and new critical infrastructure. So what we also have programmed in our tool, I call it a real life cookie. You know cookies from web pages. So just take this technology to real life. I activate this feature and now if someone comes even with his new jeans, it's an embedded RFID tag through my gate. The tool is trying to find an empty memory page that can be written. You see, I put that face as identifier. And now we got this branded to the last two pages and the counter. The next time he will enter my field, he got recognized and the counter increased. So every time he visiting my gate, he got counted. Even this diagnosis is something like fast pass for your customers. Let's go to the