Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

Tag Implants May Be Dangerous for Security Apps, Says Group

Because VeriChip's tag is easily copied, a technologist group claims it is a poor choice for authenticating the bearer's identity. But VeriChip says its tags should be combined with other authenticators.
By Mary Catherine O'Connor
Aug 22, 2006An implantable passive RFID tag made by the VeriChip Corp. can be cloned and is, therefore, not an appropriate device for use in building access control, says an article in an upcoming issue of the Journal for American Medical Informatics Association (JAMIA). VeriChip's tag, approved by the Food and Drug Administration (FDA) for human implantation, consists of a low-frequency inlay enclosed in a rice-sized glass capsule. VeriChip sells it for two different applications: VeriMed, which uses the tag to identify patients and access their medical records in the event of an emergency, and VeriGuard, which utilizes the tags to identify people for the purposes of granting or denying access to buildings and offices.

"I'd suspected for some time that the VeriChip was susceptible to cloning attacks," says Ari Juels, manager and principal research scientist for RSA Laboratories, a provider of digital security products. His suspicions were confirmed early this year after he met with a computer scientist, Jonathan Westhues, who, weeks earlier, had cloned the VeriChip tag implanted in the arm of technology journalist Annalee Newitz. Juels and Westhues are two of the JAMIA article's four authors, along with John Halamka, CIO of Beth Israel Deaconess Medical Center, which offers the VeriMed system, and Adam Stubblefield, a Johns Hopkins University faculty member studying RFID security. Halamka also has the VeriChip implant and is a subscriber to the VeriMed system.

Richard Seeling
Westhues used a cloner he created, and which Juels describes as a kind of RF tape recorder, to capture the RF signal transmitted by a passive VeriChip tag read. He then replayed that same signal (without even having to convert it to the digits encoded to it) to another interrogator, which read the signal from the cloner just as it would from a tag. This is possible because VeriChip does not use any data encryption to protect the 16-digit number it encodes to the tags it sells.

In the paper, the authors posit that VeriChip tags "should serve exclusively for identification, and not authentication or access control" because the ease with which the tags can be cloned leaves any security system built on the VeriChip IDs highly vulnerable to attacks.

VeriChip says its implantable tag uses an ISO air-interface protocol, though the company could not supply RFID Journal the specific ISO standard it follows.

Westhues' cloner device can also act as an RFID interrogator—but not one sophisticated enough to clone (or "spoof") tags protected through encryption or a challenge-response protocol requiring the interrogator to send a password before the tag responds with its data. Nonetheless, Juels says, it is small and effective enough that a nefarious party could conceivably use it to read a tag embedded in the arm of a subway rider. If that VeriChip customer had the implant purely to be identified in a medical database in the case of an emergency, reading and cloning the VeriChip's ID would not provide any benefit to the attacker—unless that attacker had an interest in accessing the rider's medical history and the ability to access the secure VeriMed database.

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations