To access this medical information, an attacker would need a URL for the Web-based database, as well as a valid log-in name and password. As a security measure, VeriChip automatically sends an e-mail message to the bearer of the implant each time his or her account is accessed, along with the name of the facility linked to the password used to log on to the account.
If a VeriChip customer, however, had the implant for the purpose of entering his secure office building—by holding the arm with the implant within inches of an access-control reader at the building's entrance—then the ability to clone the number could certainly have value to the attacker.
|
|
Ari Juels
|
Nonetheless, Juels and his coauthors are not recommending that VeriChip add a level of data security to its tags. Making the tags more secure would put people who use the implants for building access control—such as three employees of
Citywatcher.com, a video surveillance company in Ohio—in danger.
"An attacker can readily seize and use a physically transferable authenticator, such as an ATM card, without seizing its owner," says the paper. Although an attacker currently would be able to use Westhues' cloner or a similar device to clone a VeriChip tag's ID, this would not be true if the company changed its tags to make cloning impossible, or nearly impossible. The paper goes on to note that in 2005, thieves in Malaysia once severed the finger of a man to steal his Mercedes, which had a biometric security system and would run only after scanning the driver's fingerprint. What, the authors pose, if thieves tried to extract an implanted VeriChip tag in order to access a building?
"Somewhat paradoxically," the paper concludes, "we maintain that a VeriChip should be vulnerable to spoofing by design, to discourage physical attacks on VeriChip bearers." It maintains, furthermore, that VeriChip implants should not be used to authenticate—that is, to
prove the identity of those with the implants—but, rather, just to identify them. A security system using the implants, therefore, would need some other type of authenticating factor.
VeriChip's vice president for medical applications, Richard Seelig, says the article is based on false assumptions. "VeriGuard is meant to enhance current [security] measures rather than to replace them," he says. "That's why the paper's hypothesis is made in a vacuum. In the real world, experts always recommend having at least two means of identification to enter secured locations."
Seelig claims he's not sure whether Citywatcher.com is using VeriGuard as a standalone system or in combination with another security system that would require a second means of authentication. Still, he says, "I certainly hope that [VeriGuard] is being deployed with other forms of ID and authentication." Citywatcher.com did not respond to a request for an interview as of press time.
Seelig says he also thinks it would have made more sense for the group that wrote the paper to test some of the scenarios they describe in the paper, such as secretly reading a person's VeriChip implant while on a subway train. Halamka has the implant, he notes, and could have ridden in a subway train with Westhues and his cloner. Without having performed such an experiment, Seelig says, the paper is based purely on assumptions.
The article's authors note that they are not attempting to make any "categorical judgment as to whether or not VeriChip implantation is beneficial." In fact, Beth Israel Deaconess Medical Center is equipped with VeriChip interrogators and can access the VeriMed database to retrieve the medical records of people with implants. However, they do say they are trying to encourage the kind of scrutiny of the implants that led them to write the paper.
An electronic version of the JAMIA article on VeriChip will be available later this month on the publication's
Web site (nonsubscribers can read an abstract of the paper, or pay a $5 fee to read the complete article). It will also be published in the November/December issue of the magazine.
THE WORLD'S RFID AUTHORITY
PREMIUM = Requires Subscription. Learn More
