Hackers demonstrated how to clone a copy of an
human-implanted RFID chip at a hacking conference this week. The
demonstration goes against claims from people-chipping firm
VeriChip that its technology, the subject of the experiment, can
uniquely identify an individual.
By cloning a chip it would be possible to assume someone's
identity, at least in situations where VeriChip devices are used
as the sole means of identification.
The main difficulty against such an attack is that a VeriChip
can only be read at a range of less than 30cm.
During a presentation at the HOPE (Hackers on Planet Earth)
conference in New York, Jonathan Westhues demonstrated how it
was possible to read the ID number of a VeriChip implanted into
the arm of his colleague, Annalee Newitz, using a standard RFID
reader, an antenna, and a laptop running signal-processing
software.
Westhues first held the RFID reader against Newitz's arm. He
then scanned the tiny device again using an antenna connected to
his laptop in order to record the signal transmitted by the
implanted device. Westhues then waved the RFID reader by the
antenna, revealing Newitz’s until then "unique" ID.
This information is enough to produce a cloned chip, the hackers
claim.
"Their [VeriChip's] website claims that it cannot be
counterfeited — that is something that Jonathan and I have
shown to be untrue," Newitz said, adding that the tiny RFID
chip used by VeriChip contains no built-in security (such as a
challenge response mechanism) that prevents the attack.
A spokesman for VeriChip, a subsidiary of Applied Digital,
said it hadn't had a chance to review the experiment so it
wasn't able to comment on the hacker's cloning claim.
"We can't verify what they may or may not have
done," a spokesman told
(http://blogs.reuters.com/2006/07/22/high-tech-cloning/)
Reuters. "We haven't seen any first-hand evidence
other than what's been reported in the media.
"It's very difficult to steal a VeriChip… it's much
more secure than anything you'd carry around in your
wallet," he added.
"VeriChip"
(http://www.verichipcorp.com/content/company/rfidtags#implantable)
is described by its manufacturers as an implantable, passive
radio frequency identification device (RFID) about the size of a
grain of sand that can be used in a variety of applications such
as assessing whether somebody has authority to enter a
high-security area.
In medicine (the main market), the idea is that if a patient
is unconscious, or otherwise unable to tell doctors about their
medical condition, medics can still find out this information
using the ID contained on the VeriChip. This number is
cross-referenced with hospital databases to give a patient's
medical records. ®
External links
Cloning a Verichip (http://cq.cx/verichip.pl)
