Wednesday, August 23, 2006
Together with Beth Israel Deaconess CIO Dr. John Halamka and engineer Jonathan Westhues, RFID CUSP scientists have studied the security of human-implantable RFID tags. An article describing their work will appear in the Journal of the American Medical Informatics Association (JAMIA) in November. Here Ari Juels offers an informal perspective on the project.
Within our lifetime, RFID tags will be ubiquitous. They already reside in millions of automobile keys, credit cards, and building-access cards. They are filtering into supply chains, and in the decades ahead will wend their way onto individual retail products. Eventually, every item in your supermarket could carry an RFID tag.
The fringes of RFID ubiquity, however, may already reach farther than many people suspect.
A commercially available RFID device known as the VeriChip™ is specially designed for surgical implantation in the human body. Unlike groceries, people are already being “chipped” today.
There are compelling medical applications for human-implantable RFID tags that uniquely identify people as the VeriChip does. Reliable, accurate registration and tracking of hospital patients is a pressing problem. So too is the verification of patient identities for drug administration. (RFID wristbands can in principle address these problems, but are subject to removal, loss, and enrollment errors.)
With a population of “chipped” people, other applications become attractive. And the vendor of the VeriChip has claimed that the device “cannot…be counterfeited.” As a seemingly un-forgeable, automatically readable human identification device, the VeriChip conjures up visions of RFID-secured buildings without security badges and payment systems that require just a wave of the hand. A beach club in Barcelona has deployed both applications. (Its patrons do not always have wallets handy.) The VeriChip seems at first glance like the ultimate “prosthetic” biometric, suitable as a strong authentication factor.
Cloning and Anti-Cloning
The VeriChip, however, is in reality just a wireless barcode. Like a barcode, it can be easily copied. As part of our research effort, we have demonstrated this basic vulnerability. (See this description for more details.) Using inexpensive equipment, one participant in our research “skimmed” target VeriChips, i.e., scanned and recorded their output, and spoofed a VeriChip reader into accepting the output of a clone device as that of the original VeriChips. (The clone did not have the same physical form as a VeriChip, but of course the VeriChip reader could not tell.)
The implication, of course, is that the VeriChip is unsuitable as a means of authenticating people. An attacker can clandestinely “skim” a victim at short range and then spoof the victim’s VeriChip to a legitimate reader. As an authenticator, the VeriChip would enable identity theft over the air.
Let’s refer generically to a human-implantable RFID tag by the acronym HIRT. With the right cryptographic protections—a solid challenge-response mechanism—a HIRT could be designed to protect against skimming attacks. Paradoxically, though, we have concluded that the vulnerability of a HIRT to cloning is beneficial to the physical safety of its bearer.
If a HIRT were made un-forgeable, then security systems could come to rely on it for authentication. One could easily imagine HIRT-enabled ATM machines, for example. In this case, attackers would have an incentive to apply physical force to HIRT bearers—or to separate HIRTs from their owners. (Biometrics can pose the same hazard, and have in some instances, but “liveness” checks at least can discourage trade in body parts.) The best insurance against physical threats is for HIRTs not to support authentication.
Privacy is another important issue. As a barcode-like device, the VeriChip identifies its bearer to any reader—not just authorized ones. A network of readers could, in principle, perform physical tracking of VeriChip bearers without their permission (or knowledge).
The VeriChip does not emit personally identifying information. It is not difficult, however, to establish a linkage between real-world identities and VeriChip IDs. It would suffice for a retailer to scan your VeriChip when you make a credit-card purchase, for example.
More generally, if HIRTs are a good idea, and if HIRTs must be clonable to ensure physical safety, is privacy possible? Counterintuitive as it may seem, a HIRT can support privacy and cloneability at the same time. In our paper, we describe ways of using basic cryptographic tools to create HIRTs that emit encrypted identifiers, but are at the same time spoofable.
In some cases, implantable RFID tags have undoubted benefits. Tens of millions of house pets already carry surgically embedded RFID tags. As a matter of routine, shelters scan lost animals whose collars have gone missing. RFID has reunited many pets with their owners.
If HIRTs for people, however, are to be more than mere dog tags, it behooves us to think deeply about both security and privacy.