VeriChip's human-implatable RFID chips clonable, sez hackers
by Donald Melanson 
posted Jul 24th 2006 at 4:14PM
In case anyone needed more proof that we're all living in a Philip K. Dick novel, a pair of hackers have recently demonstrated how human-implantable RFID chips from VeriChip can be easily cloned, effectively stealing the person's identity. Annalee Newitz and Jonathan Westhues showed off their handiwork at the HOPE Number Six conference in New York City this weekend, with Newitz herself playing the role of guinea pig, implanting a VeriChip RFID chip in her right arm. To clone the chip, Westhues first read Newitz's arm with a standard RFID reader, then scanned it again with a homebrew antenna connected to his laptop, which recorded the signal off the chip. He then used the same RFID reader to read the signal from his laptop, which promptly spit out Newtiz's supposedly unique ID. For its part, VeriChip has only said they haven't yet had a chance to review the evidence but still insist that "it's very difficult to steal a VeriChip." [Via Techdirt]
Filed under: Misc. Gadgets, Wireless
Reader Comments (Page 1 of 1)
Andrew @ Jan 4th 2009 3:32PM
http://www.youtube.com/watch?v=to3mNocRIBg
chris @ Jul 24th 2006 4:32PM
so, read raw and save, then echo on command is difficult?
dave @ Jul 24th 2006 4:38PM
VeriChip is teh PWNED!!!
shirizaki @ Jul 24th 2006 4:42PM
When they said "difficult to steal a Verichip" they meant stealing the chip.
You'd have to rip the person's arm off to steal it.
I assume more higher teired chip will have a bluetooth-like "pairing" mode, so that only certain machines and chips have the same interaction.
Jonathan Worrel @ Jul 24th 2006 4:59PM
funny, how she put it in her right hand. also ironic, how they are cloneable, so even if this was implemented worldwide, people would still get hacked. verichip sucks. verichip is the devil, haha.
even if you put it in someone's right hand or forehead, you can still get robbed. don't even think about trying this...for all of you out there that know what I am talking about.
MobileMistress @ Jul 24th 2006 5:36PM
Its the end of the world as we know it.. Im telling you people...
And by the way, that picture made me cringe... OOOUCH!
Travis @ Jul 24th 2006 5:51PM
It just goes to show that Humanity is not ready for the verichip. If they can't even safegaurd it, how do they expect people to trust in their product?
Austin @ Jul 24th 2006 6:15PM
can anyone say "mark of the beast"?
TC @ Jul 24th 2006 6:33PM
Can I patent an implantable firewall? I'll be the Cisco of the Biomechanics world! Surely there must be space in that arm to run some Cat5.
furtim @ Jul 24th 2006 6:59PM
Can anybody else say "inherently insecure technology"?
How many times does this need to happen before we give up and leave RFID to inventory tracking, where it belongs?
Travis @ Jul 24th 2006 7:08PM
I agree with furtim.
jrd @ Jul 24th 2006 7:43PM
While I'm not that familiar with Verichip's offerings, I do work in the RFID space. Usually, the unique ID that's on the RFID tag is just a licence plate that points to a record in some back end system. So having the license plate is effectively useless unless you know which system has the relevant information. In addition, many of the chips inside the tags have a unique ID that's burned in when the chip is fabricated (along the lines of a MAC address)that can't be changed without some fairly expensive equipment - like a chip fab. So even if someone were to find the right database, a well designed system would check the chip ID and the license plate. If they don't match, they know it's an invalid request.
abigsmurf @ Jul 24th 2006 7:49PM
don't these things have some kind of dynamic encryption? It's not exactly hard to replicate a single radio transmission like they did in that example but if it does a different transmission each time it's scanned then this technique is useless
Darth Poo @ Jul 24th 2006 8:49PM
This can't be the mark of the beast. I think the Anti-Christ would be smart enough to use a secure way to corrupt the masses to his evil whim and condemn them to hell for all eternity. Just sayin'.
Moogle @ Jul 24th 2006 9:21PM
jrd: As long as the chip spits out the same data every time, there is nothing you can do to stop a replay attack. The database location is known if they're using this as a key - it's your bank, your car, or your front door.
Are there any RFIDs that can actually perform enough computation to generate a sufficiently random key w/ a secret algorithm? I don't follow the space that much, but car key fobs do this and they're large and battery powered (And still susceptable to attack).
If not, as an access control this is far worse than a keypad or key, as your access rights can be stolen without a trace at medium range anywhere you go. Fortunately for most, criminals are generally dumb and poor.
Mathieu @ Jul 25th 2006 4:25AM
Hi all,
I work in the RFID field, the unique ID is not the key.
Let me explain. reading the id from a chip is easy, as their is standard(ISO 14443 A/B and 15693 for example) and if you have the correct reader, not problem.
So anyone can create a clone with the same id.
BUT every chip manufacturer implement in addition an encryption algorithm. So any secure reading is two steps :
1: what is your unique ID (std)
2: Is this chip that says to be genuine is (encrypted)
and both step need to be successful to achieve secured identification. Modern chip allows programmer to code any encryption algorithm (like 3DES for example).
If I understand correctly the presentation made, it only describe "id" stealing, which is not a big issue. IMHO.
furtim @ Jul 25th 2006 7:19AM
jrd: Sure, maybe people are that sensible in the realm of inventory tracking. But if you'll recall Engadget's coverage of the US RFID passports, you'll note that the people trying to use RFID on people aren't sensible at all. With the passports, all the data is stored on the RFID itself. I would be completely unsurprised if VeriChip's system were the same way.
More importantly, it makes no difference to identity theft. You think everybody who accepts one of these things at a point-of-sale is going to have access to the entire VeriChip database and get a photo of each customer to pop up on their sales computer when they scan their RFID? Hell, no. Even if photos are in the database, the people who are using it day-to-day won't get access to that in order to verify identification of their customers.
RFID on people is a stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid, stupid idea.
sondjata @ Jul 25th 2006 9:21AM
While I'm not that familiar with Verichip's offerings, I do work in the RFID space. Usually, the unique ID that's on the RFID tag is just a licence plate that points to a record in some back end system. So having the license plate is effectively useless unless you know which system has the relevant information. In addition, many of the chips inside the tags have a unique ID that's burned in when the chip is fabricated (along the lines of a MAC address)that can't be changed without some fairly expensive equipment - like a chip fab. So even if someone were to find the right database, a well designed system would check the chip ID and the license plate. If they don't match, they know it's an invalid request.
And how easy is it to spoof a MAC Address? Alllllll righty then.
Austin @ Jul 25th 2006 1:01PM
Your right Darth, I think i'll go back to the infallible UPC theory for the mark of the beast. Plus its fun to make all of the sales associates type in the number rather than scan it because of my "religious beliefs"
jrd @ Jul 25th 2006 8:30PM
To Moogle: Yes, (many) RFID tags have the ability to vary their responses. In the passive tag space, this is part of the EPCglobal Gen 2 spec. (Passive tags are those that don't have batteries, unlike, say, EZpass.) Tags can also be set to authenticate the reader before they will release their data. And the full suite of encryption technologies are available... of course, this requires the vendor to utilize them.
To Furtim: I don't totally disagree with you about RFID on people. However, there are applications that make a lot of sense. For example, using active RFID to track indivduals in hazardous locations. While I wouldn't want to be tracked in my daily life... I'd sure as hell want the rescue teams to be able to find me if I was a miner stuck at the bottom of some hole in the ground somewhere.
Crazy Dre @ Jul 25th 2006 10:05PM
wow, the rice grain returns.
MobileMistress @ Jul 26th 2006 7:41AM
Its the end of the world as we know it.. Im telling you
people...And by the way, that picture made me cringe...
OOOUCH!
Dude @ Jul 27th 2006 6:41PM
Leave em for inventory only huh? What do you think we consumeres are?
Patrick Miller @ Jul 28th 2006 1:43AM
No electronic anything is secure - GIVE ME A BREAK YOU RFID APOLOGIST NEOCON TARDS.
Brandon @ Aug 5th 2006 4:10AM
"No electronic anything is secure." thats no more true than "Anything that can be made, can be Unmade."
If I hand you a cake can you get the eggs back out? No, There are electronic equivalents, like, heh, encryption. Division is MUCH harder than multiplication.
The myth of electronic insecurity is an advertising ploy. If it really were so easy to defeat any given electronic system. we'd have had blackouts, nuke self detonations, planes dropping out of the sky, hackers winning the lottery, etc.
This is a baby technology, give it time, and its no more secure than a memorized password. With creative placement of a camera, or creative use of pliers and a shotgun, one can get virtually anything out of your head(or arm), just ask the poor people we ship to turkey for interrogation.
And it dosent have to work as advertised to be a smart idea, if your only goal is making money.
adonaiiis @ Jun 21st 2009 1:26PM
i Have an older info chip in my upper left arm and can often hear the telemetry being beamed into the sky! wherever I go there is the familiar yet very quiet chirp sound like (tip tip tip) The aweful part of my story is I'm not sure who has control over the information I generate and I don't know who is responsible for keeping tabs on me? I 99% sure I'm a little blue dot on someones screen...Is there a way of finding out? Oh God, I'm not a crook or pediphile...I was abandoned by my parents and entered government care when I was five. I remember the doctor who fixed my broken arm said "I've put something in your arm, it will bring good things and opportunity into your life" I was seven and did not understand what he meant...I'm 38 now and comprehend completely...if there is a way for me to clone the chip I should be able to identify who was absolutely responsible for stealing my life, voice, ideas, concepts then they feed it back to me verbatim via popular media. my eight year old nice was staying over for easter a few years back and she came running in to the dining room one night screaming "Uncle, uncle, "there's a strange sound bothering me" leave my family out of it!
Patricia Binkis @ Jan 14th 2007 1:45AM
This is getting to be exactly what Rev 13:16.....
He required everyone ---- great and small, rich and poor, slave and free--- to be tattooed with a certain mark on the right hand or on the forehead. And no one could get a job or even buy in any store without the permit of that mark, which was either the name of the Creature or the code number of his name.
Tattoo RFID now....
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=196802844
Kahuma Harny @ Jan 22nd 2007 6:36AM
I think those chips will be a menace to human privacy and culd aswell result into cancer.
However,when we go back to the Bible, I came to compare those chips to the "666" written about in the book of Revolutions.
All in all I do not back the use of those "chips".
Geovani @ May 1st 2007 4:09PM
I think it's funny how the RFID guys are the only ones who are defending this rediculous chip. I for one would gladly get beheaded than become nothing more than cattle....and one more thing...if this law is actually passes do you honestly think that people will stand idle and do nothing about it...they will unite and the government will have it's hands full with angry people....if this chip is mandatory because of all the fears for security...then the terrorists have won already for we have changed our way of life in the name of so called security!
Bryan @ Jul 11th 2007 6:00PM
Geovani, Many people will stand idle actually it would be cool. Iphones for example anyways plus when the time comes many would be living in fear and the world would be in chaos and maybe its after what the events where christ followers dont forget churches probly still would be full, but anyways christ followers would disappear off the face of the earth. people would be scared and think this chip would be the best for them and their families that is why parents or children in those days will turn their family members in because many would see the truth and deny the implant as the bible says the amrk ofthe beast in the right hand or forehead, but i can be wrong in the order of.
Benjamin Agwah @ Nov 2nd 2007 9:16AM
Whatever one might say or think,this technology is certainly linked to the end-time prophecy of the Holy Bible and is certainly a warning to all believers that the machinery that will bring about the end-time program of God has been set in motion. People will willingly accept the mark of the beast in the same way they accept development in technology. That is why the Bible warns us to be careful that we may not be decieved.
Remember, once accepted, no more remedy remains except the inevidient fiery fire that burns with sulphur and brimestone.
Randall @ Nov 19th 2007 6:05AM
I have a implant in my ear canals which allowed me to be in constant contact with my team when I was in an overseas security firm. how do I remove it?Operates with electro magnetics
Randall @ Nov 19th 2007 6:17AM
It is a cochlear implant.It allowed mental images .I was in constantly connected to my superior so I could receive instructions when necessary.I could be talking to someone and could get
important communications immediatly.I want to remove it but it is something you do not normally see.
Keith Richard Radford Jr @ Aug 9th 2008 1:47PM
Prove I'm a liar!
In 1992 I was implanted with a microchip by the California Department of Corrections. Prove I'm a liar!
Just like the Angel of Death* HaloScan, IBM, Avid, Veri Chip and other company's use subcutaneous human tracking device, audio servalence systems and other venues against American people for fun and profit. Prove I'm a liar!
Since the Nuremberg trials the Nuremberg code of universal medical ethics have moved into California's Silicon Valley which is being protected by our own governments representatives. Prove I'm a liar
The national fraud squad has opened an investigation into the affair. The four are suspected of abuse, aggravated assault, causing death through negligence, fraud, forgery, breach of statutory duty, and disruption of legal proceedings. Prove I'm a liar!
*Dr. Josef Mengele was a German SS officer and a physician in the German Nazi concentration camp Auschwitz-Birkenau. He gained notoriety chiefly for being one of the SS physicians who supervised the selection of arriving transports of prisoners, determining who was to be killed and who was to become a forced labourer, and for performing human experiments on camp inmates, amongst whom Mengele was known as the Angel of Death.
Since 1987, Nancy Pelosi has represented California's Eighth District in the House of Representatives wile being on the board of Veri Chip.
As California's senior Senator, Dianne Feinstein has built her reputation on condoning torture, working with both Democrats and Republicans to find solutions to the problems facing California and the Nation court who have chosen to ignore human and civil right.
You Worthless Tech Trollops have been instrumental in working toward a North American Union. When will America wake up to the fact that our government knows human nature. Using sex offenders to justify their actions when what they are doing is universally wrong, is underhanded at least and fundamentally treasonous by using devices that are unsafe. Hiding the finding of company's product and placing humans at risk seems to be of no consequence to those that take them to court on habeas corpus writs.
I was told by my attorney that my case was demurer which means the state says so what.
So what if you are diabetic and need to enroll in Adult Swim at your YMCA because of injuries for exercise.
So what if you are disabled and we made you move.
So what if you live a good honest life.
So what if when we made you move you were going to school to learn a trade and we disrupted your life during your finals and you could not finish your training.
So what if you and your wife who by the way has never done anything to anyone is waking in the middle of the night crying because you stand to be homeless for fear that no one will rent to you.
We lived in an apartment in Burbank CA when someone decided to place flyer's at our home about my 23 year old sex offense and get us kicked out of our home. So what.
Reminds me of the Quote by Pastor Martin Niemöller: First they came for the Jews and I did not speak out because I was not a Jew.
Then they came for the Communists and I did not speak out because I was not a Communist.
Then they came for the trade unionists and I did not speak out because I was not a trade unionist.
Then they came for me and there was no one left to speak out for me. We have one week to come up with a bunch of money to fight for rights Americans are losing because they are better than us.
Sorry America we have no money. We are poor, week to week surviving on what we have which is less each day.
When these laws get done with us, they will not be satisfied. Prove I'm a liar!