Technology Evaluation: The Security Implications of VeriChip Cloning

The VeriChip is a Radio-Frequency Identification (RFID) tag produced commercially for implantation in human beings. Its proposed uses include identification of medical patients, physical access control, contactless retail payment, and even the tracing of kidnapping victims. As the authors explain, the VeriChip is vulnerable to simple, over-the-air spoofing attacks. In particular, an attacker capable of scanning a VeriChip, eavesdropping on its signal, or simply learning its serial number can create a spoof device whose radio appearance is indistinguishable from the original. We explore the practical implications of this security vulnerability. The authors argue that:1 The VeriChip should serve exclusively for identification, and not authentication or access control. 2 Paradoxically, for bearer safety, a VeriChip should be easy to spoof; an attacker then has less incentive to coerce victims or extract VeriChips from victims' bodies.

[1]  G G Moseley STRAIGHT FROM THE SHOULDER. , 1919, California state journal of medicine.

[2]  A. Juels,et al.  Universal Re-encryption for Mixnets , 2004, CT-RSA.

[3]  Jan Camenisch,et al.  Untraceable RFID tags via insubvertible encryption , 2005, CCS '05.

[4]  Matthew Green,et al.  Security Analysis of a Cryptographically-Enabled RFID Device , 2005, USENIX Security Symposium.

[5]  Simson L. Garfinkel,et al.  RFID privacy: an overview of problems and proposed solutions , 2005, IEEE Security & Privacy Magazine.

[6]  Katherine Albrecht,et al.  The Spychips Threat: Why Christians Should Resist RFID and Electronic Surveillance , 2006 .

[7]  Ari Juels,et al.  Squealing Euros: Privacy Protection in RFID-Enabled Banknotes , 2003, Financial Cryptography.

[8]  David A. Wagner,et al.  Security and Privacy Issues in E-passports , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[9]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[10]  Bernard P. Zajac Applied cryptography: Protocols, algorithms, and source code in C , 1994 .

[11]  Avishai Wool,et al.  Picking Virtual Pockets using Relay Attacks on Contactless Smartcard , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[12]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[13]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[14]  Ronald L. Rivest,et al.  The blocker tag: selective blocking of RFID tags for consumer privacy , 2003, CCS '03.

[15]  Ari Juels,et al.  RFID security and privacy: a research survey , 2006, IEEE Journal on Selected Areas in Communications.

[16]  Simson L. Garfinkel,et al.  RFID: Applications, Security, and Privacy , 2005 .