[dave at farber.net: [IP] more on RFID Clonable]

Tyler Durden camera_lumina at hotmail.com
Wed Jul 26 04:21:44 PDT 2006

Well, the next question is whether we can surreptitiously insert an ID into 
someone's implanted tag, The possibilities are amusing to say the least...


>From: Eugen Leitl <eugen at leitl.org>
>To: cypherpunks at jfet.org
>Subject: [dave at farber.net: [IP] more on  RFID Clonable]
>Date: Tue, 25 Jul 2006 21:02:50 +0200
>----- Forwarded message from David Farber <dave at farber.net> -----
>From: David Farber <dave at farber.net>
>Date: Tue, 25 Jul 2006 13:55:12 -0400
>To: ip at v2.listbox.com
>Subject: [IP] more on  RFID Clonable
>X-Mailer: Apple Mail (2.752.2)
>Reply-To: dave at farber.net
>Begin forwarded message:
>From: Ross Stapleton-Gray <ross at stapleton-gray.com>
>Date: July 25, 2006 1:02:13 PM EDT
>To: dave at farber.net
>Subject: Re: [IP] RFID Clonable
>At 07:48 AM 7/25/2006, David Farber wrote:
> >In case anyone needed more proof that we're all living in a Philip K.
> >Dick novel, a pair of hackers have recently demonstrated how human-
> >implantable
> >RFID chips from VeriChip can be easily cloned, effectively stealing
> >the
> >person's identity.
> >...
> >For its part, VeriChip has only said they haven't yet had a chance
> >to review the evidence but still
> >insist that "it's very difficult to steal a VeriChip."
>Certainly literally true, if by "steal" one means, "get one's hands
>on the original, e.g., pry one out of Annalee Newitz's arm."
>But we should recongize that the vast majority of RFID applications
>[BUT NOT ALL djf]  don't depend on inability to clone them.  RFID
>tags in most commerce will be as unclonable as license plates, which
>anyone with a little tin, paint and shop skills could zap out copies
>of, but which nonetheless serve as a cheap means for reasonably
>reliable identification.  Think of most RFID applications as just
>like print bar codes; there have been various cases of fraud
>committed against systems employing the latter, most notably where
>thieves use bar codes for inferior goods to purchase expensive ones
>("Bar code says that's a drill bit, and it looks like a drill
>bit...") then return the goods to pocket the difference in price.
>The new wrinkle that RFID offers for commerce here is uniqueness: the
>local Home Depot currently knows that it has 500 units of carbide
>drill bit, all bearing identical bar codes... in an item-level RFID
>tagged world, it would know 500 unique serials, so spoofing the
>checkout clerk with a false tag becomes a little harder.  And, with
>unique tags, it becomes easier to compile and retain longitudinal
>dossiers on "where has this thing been?" (if the various parties in
>supply chain actually read the tags): this is the aspect that will be
>used for pharmaceutical knockoff detection, where the overarching
>RFID tracking and management system will be able to provide some
>provenance information ("This very bottle was allegedly seen in
>Singapore 3 hours ago... something's not right").  This is also one
>of the more privacy-invasive aspects.
>I've seen one research effort (an NSF SBIR) looking at creating
>unclonable RFID thus far, which basically works, I believe, by
>extracting a physical signature of the item to be tagged (in the
>awarded research, it was magnetic signatures), and using that as part
>of the unique key, or perhaps registering that signature in an off-
>chip database that would need to be additionally queried.
>In the VeriChip hack, you might address the problem that that little
>chip merely spits out a unique ID that anyone who can read can
>rewrite into a new chip by having the implanted chip also encode some
>(relatively) unclonable aspect of the person the chip is embedded in,
>e.g., you can still "steal" the unique ID, but could only then use it
>in a chip in another (1) female; with (2) brown eyes; (3) blood type
>AB-; etc.; etc.  But so far as I know the VeriChip used in human
>implants is just that little unique number... its value as a unique
>ID for security authentication depends a lot on it being hidden from
>3rd party readers.  Of course, we have this problem in spades all
>over the place... your SSN, or credit card number, can be fairly
>easily abused by anyone who knows it, despite the fact that you have
>to expose it to a lot of parties, many, many times over the course of
>a year.
>Ross Stapleton-Gray, Ph.D.
>Stapleton-Gray & Associates, Inc.
>You are subscribed as eugen at leitl.org
>To manage your subscription, go to
>  http://v2.listbox.com/member/?listname=ip
>Archives at: http://www.interesting-people.org/archives/interesting-people/
>----- End forwarded message -----
>Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
>ICBM: 48.07100, 11.36820            http://www.ativel.com
>8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
>[demime 1.01d removed an attachment of type application/pgp-signature which 
>had a name of signature.asc]

More information about the cypherpunks-legacy mailing list