It says in the article that the idea behind this implementation is that if the tag is swapped it breaks the authentication since the glue is involved in authenticating. NFC/RFID chips can just be swapped from a real product to a fake one as-is.

>What prevents somebody from scanning it and reconstructing the position of the metal pieces?

You're talking about very, very small pieces of metal whose position/orientation is not deterministic when laying the glue and that information is combined with the tag itself to present some kind of challenge response.

Yeah if I’m understanding the article correctly it’s not that the glue is pre-printed with a specific code but rather the glue has a bunch of particles suspended in it and take on an arbitrary pattern when used. Conceptually similar to https://trmm.net/Glitter/ but at a much smaller scale.

Why is it not possible to embed the NFC tag in a destructible medium? Like those annoying stickers that you cannot peel without ripping?

If you use that, then the only way to move the NFC tag to another item would be to cut it out of the original item (including the original adhesive). But this attack also works against the technique in the article.

Regarding the orientation, I understand that it is nondeterministic in the original, but what prevents an attacker from copying it deterministically? Is it just that technology is not good enough to manipulate such small pieces of metal? How long will this limitation persist?

Yes, like other similar tamperproofing options (glitter, vacuum-sealed colored beads, etc) it's trivial, cheap and fast to get a random pattern, but absolutely impractical to control the pieces to get any specific pattern - perhaps someone like a microsurgeon could manipulate them properly given enough time, but that would take an absurd time (since there are many tiny pieces which each need to be manipulated within a gooey substance where each movement disturbs previous ones as well) and be absurdly expensive, and nobody has a "printing" technology to do it in a cost-efficient way.

Perhaps in future someone could develop an advanced combination of 3d printer and pick&place machines that could do it, but such future potential doesn't disqualify this tech from currently detecting counterfeiting of fancy shoes or something.

Why would you need a 3D printer or pick&place machines? You can just do it photolithographically.

Coat a piece of glass with a thin layer of metal. Put a photoresist on top. Project the desired pattern onto it with UV light. Wash the unhardened photoresist away and etch the unnecessary metal.

Now you've got metal in exact the spots you'd like, of exactly the thickness you'd like. You can get the accuracy down to a few hundred micrometers for cheap today.

That would work only for a planar distribution of material. A 3D distribution would require multiple layers (I guess it might quickly become infeasible if it requires thousands of layers).

In the case of 3D arrangements, I think some substrate materials (and also some properties of the particles) would be very difficult to get using photolithography (or some kind of micro 3D printing).

In the case of 3D arrangements, you don't necessarily need to create all the layers photolithographically. You might be able to flatten N layers into 1 layer, then add a plastic coating equivalent to N-1 layers ontop, then repeat that. You'll have a very similar result to every layer being separate.

Imagine e.g. the "multiple layers of cardboard cutouts" scenery in theater vs it actually being 3D.

I don't know much about photolithography, but doesn't it rely on relatively expensive fixed masks prepared for each layer?

Assuming that doing the process you describe is sufficient, what's the ballpark of what "for cheap" means for you if you needed to print 1000 different fake tags, assuming many layers of "the desired pattern" to print the metal flakes?

> doesn't it rely on relatively expensive fixed masks prepared for each layer

If you need perfectly sharp edges and high precision, sure. But I'm sure in this case that'd be unnecessary.

> Assuming that doing the process you describe is sufficient, what's the ballpark of what "for cheap" means for you if you needed to print 1000 different fake tags, assuming many layers of "the desired pattern" to print the metal flakes?

I described in another comment an additional way to quantize the layers to reduce the repetition steps, which would reduce costs further.

Regarding costs, you could fake a THzID chip for about 500€ per fake. Not cheap enough to do it for household items, but if you're faking designer bags, clothing, sneakers, or electronics, it'd be absolutely worth it.

With the right techniques it's often possible to remove those annoying stickers without ripping them. Some of the techniques involve using a solvent or very thin and slippery blade. They are supposed to be resistant against that, but in practice a lot of time not enough.

NFC tag usually consists of two parts very tiny IC (small piece of silicon the size of sand grain) and antenna (a piece of metal foil in a fancy shape). You could make an NFC tag where attempting to remove it rips antenna, but that wouldn't destroy the IC. It's probably a matter of product price and quantities whether, counterfeiting it by reattaching the NFC chip to a new antenna is economically viable. As the process is not only possible it's performed at the NFC tag factory at very large quantities at very low cost. It might also be possible to repair parts of broken antenna assuming area around IC is undamaged.

So overall you get simplicity and cost of regular tamper resistance stickers, with better resistance against solvent and blade attacks, and security properties closer to what you get from secure NFC chip (except you can't perform more complicated cryptographic operations like signing arbitrary data).

> Is it just that technology is not good enough to manipulate such small pieces of metal? How long will this limitation persist?

I would expect that at any point in future, whatever the best controlled manufacturing technique invented are, it will be possible to create uncontrolled pattern at finer scale, or at least much cheaper. Unless we reach the point where maintaining stable state without deteriorating becomes a problem, or the quantity of data for storing and processing becomes impractical.

It would be like reconstructing a sand castle grain by grain.

I hope to not be alive when technology progresses to that point!

You already are! The CPU in your computer is just a very precise sandcastle :)

Though the re-construction of the pattern is effectively impossible, I think you raise a good point regarding the use of NFC. The article mentioning a cloud database was a red flag for me as it introduces another attack vector. Sure, it's not as simple as replacing the tag as you can with RFID, but we know the counterfeiters will go to impressive lengths to replicate the real deal. If verification can be all-local that's ideal, imo. The issue there, though, is that you then need to trust either the scanned or scanning device with a private key. A private key that, if obtained, could be used to create infinite counterfeits. Either way, I think this glue-based method is a great solution, even if it does rely on a cloud service which is dependent on the company that maintains it.

I don't know if I understood correctly. But it might be that the metal pieces in glues are pure random process, and there are no way to reproduce or re-print it again. The metal pieces are then recorded as a key in central database or some sort of AI, just like human fingerprint or retina how are collected and used for authentication???

What prevents you from scanning & reconstructing a bucket of rice? :)