More RFID Madness

I noticed this on the MAKE blog... Johnathon Westhues has designed an inexpensive device based on a PIC microcontroller that implements everything needed to clone a VeriChip. As built, he needs to get the antenna into close proximity, but that is just a matter of social engineering; the sort of social engineering that pickpockets have been good at for as longer than pockets have been common.

VeriChip Corporation is pushing for adoption of their implantable RFID technology in hospitals (if every victim had a chip, the ER could have their medical records as the gurney arrives), for child protection (some blue-sky idea about tracking lost or kidnapped kids), for elder protection (similar to the kid tracking, but for the elderly with a tendancy to wander away).

Their web site says: "And unlike conventional forms of identification, the VeriChip™ cannot be lost, stolen, misplaced, or counterfeited. It is safe, secure, reversible, and always with you."

Right. It has been successfully cloned (read "stolen") by under $30 of commonly available parts. There are companies (and an agency of the Mexican government!) out there that are using these things as a security token... but they contain nothing more secure than a 16-digit unencrypted identifier. Publish the identifier belonging to a specific individual and what security it had is now lost.

They even claim that their readers work up to 10 feet away. That means that chipped individuals can be logged at public locations by simply requiring that the general public pass through a choke point (say a door or hallway) no more than 10 feet across. And if a 10 foot range was commercially viable, then it is obvious that a hacker with a nose for antenna design can build a suitably sensitive device to read the chip at 100 feet or more.