[IP] RFID Clonable

Ross Stapleton-Gray ross at stapleton-gray.com
Tue Jul 25 01:02:13 PDT 2006 

At 07:48 AM 7/25/2006, David Farber wrote:
>In case anyone needed more proof that we're all living in a Philip K.
>Dick novel, a pair of hackers have recently demonstrated how human-
>implantable
>RFID chips from VeriChip can be easily cloned, effectively stealing
>the
>person's identity.
>...
>For its part, VeriChip has only said they haven't yet had a chance
>to review the evidence but still
>insist that "it's very difficult to steal a VeriChip."

Certainly literally true, if by "steal" one means, "get one's hands
on the original, e.g., pry one out of Annalee Newitz's arm."

But we should recongize that the vast majority of RFID applications
[BUT NOT ALL djf]  don't depend on inability to clone them.  RFID
tags in most commerce will be as unclonable as license plates, which
anyone with a little tin, paint and shop skills could zap out copies
of, but which nonetheless serve as a cheap means for reasonably
reliable identification.  Think of most RFID applications as just
like print bar codes; there have been various cases of fraud
committed against systems employing the latter, most notably where
thieves use bar codes for inferior goods to purchase expensive ones
("Bar code says that's a drill bit, and it looks like a drill
bit...") then return the goods to pocket the difference in price.

The new wrinkle that RFID offers for commerce here is uniqueness: the
local Home Depot currently knows that it has 500 units of carbide
drill bit, all bearing identical bar codes... in an item-level RFID
tagged world, it would know 500 unique serials, so spoofing the
checkout clerk with a false tag becomes a little harder.  And, with
unique tags, it becomes easier to compile and retain longitudinal
dossiers on "where has this thing been?" (if the various parties in
supply chain actually read the tags): this is the aspect that will be
used for pharmaceutical knockoff detection, where the overarching
RFID tracking and management system will be able to provide some
provenance information ("This very bottle was allegedly seen in
Singapore 3 hours ago... something's not right").  This is also one
of the more privacy-invasive aspects.

I've seen one research effort (an NSF SBIR) looking at creating
unclonable RFID thus far, which basically works, I believe, by
extracting a physical signature of the item to be tagged (in the
awarded research, it was magnetic signatures), and using that as part
of the unique key, or perhaps registering that signature in an off-
chip database that would need to be additionally queried.

In the VeriChip hack, you might address the problem that that little
chip merely spits out a unique ID that anyone who can read can
rewrite into a new chip by having the implanted chip also encode some
(relatively) unclonable aspect of the person the chip is embedded in,
e.g., you can still "steal" the unique ID, but could only then use it
in a chip in another (1) female; with (2) brown eyes; (3) blood type
AB-; etc.; etc.  But so far as I know the VeriChip used in human
implants is just that little unique number... its value as a unique
ID for security authentication depends a lot on it being hidden from
3rd party readers.  Of course, we have this problem in spades all
over the place... your SSN, or credit card number, can be fairly
easily abused by anyone who knows it, despite the fact that you have
to expose it to a lot of parties, many, many times over the course of
a year.

Ross




----
Ross Stapleton-Gray, Ph.D.
Stapleton-Gray & Associates, Inc.
http://www.stapleton-gray.com
http://www.sortingdoor.com






-------------------------------------
You are subscribed as eugen at leitl.org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

More information about the cypherpunks-legacy mailing list