Sunday, July 23, 2006

RFID Hacked Again and Vendor Says it's as Safe as Anything in Your Wallet!

RFID is a highly controversial technology because (some say), it is easily "hacked," which will leave it wide open for data theft. This could mean - a bad guy gaining access to a secure building - or even your personal information being compromised (cloned), when used in "identification documents," such as passports.

And to make it even easier for the crooks, it's "wireless."

Please note that the U.S. State Department plans to start issuing passports with RFID chips in August.

Here is an interesting story by Nic Fulton at Reuters:

Annalee Newitz and Jonathan Westhues presented their experimentations at the HOPE Number 6 conference in New York City in front of a crowd of hackers, tweakers and phone phreakers.

This is the first time someone has cloned an human-implanted RFID chip, Newitz said. Since I have been chipped Jonathan refers to me as an implanted pet.

Newitz said she has an RFID chip implanted in her right arm manufactured by
VeriChip Corp., a subsidiary of Applied Digital.

Their Web site claims that it cannot be counterfeited that is something that Jonathan and I have shown to be untrue.

The pair demonstrated the cloning process: Westhues held a standard RFID reader against Newitz's arm to register the chip's unique identification number.

Next, Westhues used a home-built antenna connected to his laptop to read Newitz's arm again and record the signal off her implanted chip.

Westhues then takes the standard RFID reader and waves it past his laptop's antenna. The reader beeps, showing Newitz's until then unique ID. It actually has no security devices what-so-ever, Newitz said of VeriChip's claims that its RFID chips can not be counterfeited.


Link, here.

And Reuters - in the interest of fair reporting - updated the story to include a comment from Verisign, a leading vendor of RFID technology:

VeriChip spokesman John Procter said in a phone interview that he had read about Newitz and Westhues work, but the company had not been able to review the evidence. He had no specific comment regarding their cloning project.

We can't verify what they may or may not have done, Procter said, adding that: We haven't seen any first-hand evidence other than what's been reported in the media.


It's very difficult to steal a VeriChip, it' s much more secure than anything you'd carry around in your wallet, he added.

My thought for Verichip is please get out there and view some of the evidence. This technology threatens to put us all at risk!

And Verichip is right about one thing, not too much is safe in our wallets (these days) -- thanks to technology -- which seems to be hacked faster than it can be developed.

4 comments:

prying1 said...

- "We can't verify what they may or may not have done" sez VeriChip spokesman John Procter -

- "Their Web site claims that it cannot be counterfeited" sez Annalee Newitz -

Perhaps people should write to the U.S. State Department about this since they plan to start issuing passports with RFID chips in August. -

~~~~~

OK - I'm back - Went to: http://www.state.gov/ - Hit 'Contact Us' towards the bottom - Clicked Email a question/comment tab and sent them this:
~~~~~
Evidently Verichip's RFID chips are radio frequency devices that will be placed in passports this coming August. Will the information on these chips be susceptible to hacking by crooks and terrorists?

Will the State Department double check the veracity of Verichip Corp claim RFID chips are safe from hacking prior to their use in passports in August? Even if shown to be problematic will they be used?

Please check this website
- http://fraudwar.blogspot.com/2006/07/rfid-hacked-again-and-vendor-says-its.html - or this
-
http://blogs.reuters.com/2006/07/22/high-tech-cloning/
-


If you do not want to click on the link please type the following into Google - Fraud, Phishing and Financial Misdeeds RFID hack - Number one hit should do it...

If these chips are used in passports and can easily be hacked with wireless devices how many lawsuits will it take before the chips are removed?
~~~~~

Off to Whitehouse.gov to ship the message to the Whitehouse.

Anonymous said...

Doon't assume VeriChip technology will be used on passports. VeriChip provides no encryption whatsoever. US Passports will have encryption.


Saying RFID is not secure is like saying Ethenet is not secure. Encryption is needed.

The problem is doing it on a 10 cent part.
Contactless Smart Cards with encryption cost 10-30 times the price.

Anonymous said...

"The basic problem with RFID is surreptitious access to ID," said Bruce Schneier security technologist, author and chief technology officer of Counterpane Internet Security, a technology security consultancy. "The odds are zero that RFID passport technology won't be hackable."

Anonymous said...

Everyone seems to assume that criminals are all geeks. When the common thug sees a person walk through a secure door without delay, it won't take long for him to find a way to retrieve the device, with a knife...oops...wrong arm...let me try the other one...oops...wrong again. Does this device come with Onstar?