Verichip likes to proclaim that their chips are no more sinister than electronic barcodes. However, it would be kinda dumb to use a mere barcode for any serious security purpose, say, locking your car, your business or your house. If nobody's ever heard of RFID chips, then you might be temporarily secure through obscurity, but if, for instance, Nokia's selling lots of arphid readers built into cellphones, then that chip hidden in your flesh becomes easy prey for any passing malefactor with a scanner.
There are two major phases in the hacking game, (a) actually hacking something and (b) running around loudly bragging about it. VeriChip cloning has now reached the (b) stage, and given that VeriChip have always been the boasting PR bandits of the RFID universe, they've definitely got this karmically coming.http://www.engadget.com/2006/07/24/verichips-human-implatable-rfid-chips-clo
VeriChip's human-implatable RFID chips clonable, sez hackers
Posted Jul 24th 2006 4:14PM by Donald Melanson
Filed under: Misc. Gadgets, Wireless
In case anyone needed more proof that we're all living in a Philip K. Dick novel, a pair of hackers have recently demonstrated how human-implantable RFID chips from VeriChip can be easily cloned, effectively stealing the person's identity. Annalee Newitz and Jonathan Westhues showed off their handiwork at the HOPE Number Six conference in New York City this weekend,
with Newitz herself playing the role of guinea pig, implanting a VeriChip RFID chip in her right arm.
To clone the chip, Westhues first read Newitz's arm with a standard RFID reader, then scanned it again with a homebrew antenna connected to his laptop, which recorded the signal off the chip. He then used the same RFID reader to read the signal from his laptop, which promptly spit out Newitz's supposedly unique ID. For its part, VeriChip has
only said they haven't yet had a chance to review the evidence but still insist that "it's very difficult to steal a VeriChip."
(((Strictly speaking, these aren't "a pair of hackers," this is one hacker and one with-it female journalist who isn't afraid of large cannula needles. Some feminist tech critic needs to write an analytical tirade about the number of women engaged in the arphid biz. There are whole unruly regiments of 'em. There must be some good reason why.)))
A further addendum:
(((As Ross Stapleton-Gray interestingly puts it:)))
From: Ross Stapleton-Gray
Date: July 25, 2006 1:02:13 PM EDT
Subject: Re: [IP] RFID Clonable
At 07:48 AM 7/25/2006, David Farber wrote:
In case anyone needed more proof that we're all living in a Philip K. Dick novel, a pair of hackers have recently demonstrated how human- implantable RFID chips from VeriChip can be easily cloned, effectively stealing the person's identity.
...
For its part, VeriChip has only said they haven't yet had a chance to review the evidence but still
insist that "it's very difficult to steal a VeriChip."
Certainly literally true, if by "steal" one means, "get one's hands on the original, e.g., pry one out of Annalee Newitz's arm."
But we should recognize that the vast majority of RFID applications don't depend on inability to clone them. RFID tags in most commerce will be as unclonable as license plates, which anyone with a little tin, paint and shop skills could zap out copies of, but which nonetheless serve as a cheap means for reasonably reliable identification. Think of most RFID applications as just like print bar codes; there have been various cases of fraud committed against systems employing the latter, most notably where thieves use bar codes for inferior goods to purchase expensive ones ("Bar code says that's a drill bit, and it looks like a drill bit...") then return the goods to pocket the difference in price.
The new wrinkle that RFID offers for commerce here is uniqueness: the local Home Depot currently knows that it has 500 units of carbide drill bit, all bearing identical bar codes... in an item-level RFID tagged world, it would know 500 unique serials, so spoofing the checkout clerk with a false tag becomes a little harder. And, with unique tags, it becomes easier to compile and retain longitudinal dossiers on "where has this thing been?" (if the various parties in supply chain actually read the tags): this is the aspect that will be used for pharmaceutical knockoff detection, where the overarching RFID tracking and management system will be able to provide some provenance information ("This very bottle was allegedly seen in Singapore 3 hours ago... something's not right"). This is also one of the more privacy-invasive aspects.
I've seen one research effort (an NSF SBIR) looking at creating unclonable RFID thus far, which basically works, I believe, by extracting a physical signature of the item to be tagged (in the awarded research, it was magnetic signatures), and using that as part of the unique key, or perhaps registering that signature in an off-chip database that would need to be additionally queried.
In the VeriChip hack, you might address the problem that that little chip merely spits out a unique ID that anyone who can read can rewrite into a new chip by having the implanted chip also encode some (relatively) unclonable aspect of the person the chip is embedded in, e.g., you can still "steal" the unique ID, but could only then use it in a chip in another (1) female; with (2) brown eyes; (3) blood type AB-; etc.; etc. But so far as I know the VeriChip used in human implants is just that little unique number... its value as a unique ID for security authentication depends a lot on it being hidden from 3rd party readers. Of course, we have this problem in spades all over the place... your SSN, or credit card number, can be fairly easily abused by anyone who knows it, despite the fact that you have to expose it to a lot of parties, many, many times over the course of a year.
Ross
—
Ross Stapleton-Gray, Ph.D.
Stapleton-Gray & Associates, Inc.
