Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security issues of VeriChip


Published on

Published in: Business, Technology
  • Be the first to comment

Security issues of VeriChip

  1. 1. Security issues of VeriChip ing. Zhang Biyong Kerckhoffs Institute & Dept. of Mathematics and Computer Science Technical University of Eindhoven 15th June 2008 Abstract. VeriChip is the first Food and Drug Administration (FDA)-approved human- implantable radio-frequency identification (RFID) microchip. It is proposed to be used for identification of medical patients, physical access control, contactless retail payment, and against infant abduction. VeriChip is marketed by VeriChip Corporation and their website alleges that the VeriChip can’t be lost, stolen, misplaced, or counterfeited [1]. However as a matter of fact, the VeriChip even can not withstand a simple cloning attack. When an attacker has the ability to scan a VeriChip, eavesdrop on its signal, or even directly learn its serial number, then he could simply clone a device that can not be distinguished from the original by the VeriChip reader. The major focus of this paper is to explore and discuss the possibility of VeriChip cloning both in theory and practice. Keywords: RFID, privacy, security, VeriChip, cloning, tracking, identification, authentication 1 Introduction As a human-implantable RFID microchip, VeriChip lie its great expansibility in several trends nowadays. About fifty million house pets around the world already bear implanted wireless microchip similar in form and function to the VeriChip. People would identify lost animals under the help of these chips. In private facilities, the VeriChip can enhance physical access control, as it permits automated identification of individuals and tracking of their movements in buildings [13]. For personal safety, a Mexican distributor announced plans to create an anti-kidnapping system for children using the VeriChip a few years ago [14]. The VeriChip may also be used as a payment device, even become replacement of credit-card [15]. These products are called VeriPay in the market. Besides these, we believe VeriChip may have broader applications in daily life, such as anti-theft systems for automobiles [5], military supply chains and so on. However with the spread of VeriChip, disputes and problems come at the same time. The first focus is the privacy concern. People are afraid of personal information leaking after implanted VeriChip since VeriChip bearer can be tracked under certain situation. Another side, people have a question mark about whether the data kept in VeriChip is secret. This raises another concern, security, which is different from privacy issue, but more serious here. Unfortunately the answer is no. In this paper, we would explain a straightforward cloning attack against VeriChip. We are going to argue that VeriChip may be used as
  2. 2. identification tool rather than an authentication tool. For the authentication purpose, as a proof of identity, VeriChip is inappropriate and dangerous. This paper is structured with 6 sections. Besides section 1 for introduction, section 2 gives a general concept about the application of RFIDs in healthcare. In section 3, the background of VeriChip is explained and this gives readers a deep understanding of VeriChip. We would bring the discussion regarding privacy and security of VeriChip in section 4. Then section 5 is the VeriChip cloning technology and the relevant studies. The conclusions and further work is arranged at the end as normal, so in section 6. 2 RFIDs in Healthcare RFID is an enabling technology that saves lives, prevents errors, saves costs and increases security [2]. The deployment of RFID in the healthcare and pharmaceuticals area is considered to be in rapid increasing nowadays. Benefits could be brought by healthcare RFIDs, such as patient identification, equipment tracking, making newborns more secure and reducing drug and blood administration errors. Also opportunities could be seen in the following sectors: Pharmaceutical drug Medical disposables and other items Pallets and cases Laundry People Secure Access Conveyances, vehicles, assets Real Time Locating Systems (RTLS) Sensor based applications Based on the difference of power supply source, RFID tags can be divided into two classes: passive tag and active tag. 2.1 Passive RFID tag Passive tag does not contain a battery and the power is supplied by the reader. When radio waves from the reader are encountered by a passive RFID tag, the coiled antenna within the tag forms a magnetic field. The tag draws power from it, energizing the circuits in the tag. The tag then sends the information encoded in the tag's memory. [3] The advantages of a passive tag are: - The life-span of the tag can be longer than 20 years since the tag doesn’t have battery. - The cost of manufacture is typically less expensive. - The tag is much smaller, even could be made as big as the size of a grain of rice. The disadvantages of a passive tag are: - The tag can only be read within in a limited distance from the reader.
  3. 3. - It may not be possible to include sensors that can use electricity for power. - The tag remains readable for a very long time, even after the product to which the tag is attached has been sold and is no longer being tracked. VeriChip is a leading exemplar in field of passive RFID application for healthcare usage. When comparing with printed barcodes, passive tag has significant advantages though they are both battery less. Unlike barcodes, RFID do not require line of sight reading [5]. Hence an RFID reader can read the tags of sleeping patients or of swaddled babies in intensive care units without repositioning their bodies. Moreover, RFID tags are better suited than barcodes for a variety of environmental conditions, as they are resistant to moisture, crushing, and tearing. However the shortage of RFID tags lies on the cost. The make up of a RFID transponder is a little more complicated than a set of printed lines (or bars) like with barcodes. It consists of at least an antenna, a capacitor and a smart chip. So it is not really hard to understand why it is more expensive. Much thought has gone into the process to reduce the cost in order to gain the competitive advantage, but the material, labor and manufacturing costs can only be driven down to a certain extent. The price of RFID equipment and tags is a substantial jump, but as the old saying goes “you pay for what you get”. On the same token, where RFID cannot compete with barcodes on price the benefits of RFID certainly out perform the advantages that barcodes unfortunately can never offer [6]. 2.2 Active RFID tag Active tag is equipped with a battery that can be used as a partial or complete source of power for the tag's circuitry and antenna. Some active tags contain replaceable batteries for years of use; others are sealed units. (Note that it is also possible to connect the tag to an external power source.) [4] The advantages of an active tag are: - It can be read at a distance even longer than one hundred feet way from the reader. - It may have other sensors that can use electricity for power. The disadvantages of an active tag are: - The life-span of the tag is limited since it can not function without battery power. - The cost is more expensive, not only for manufacture but also for the long-term maintenance. - The tag is physically larger, which may limit applications. - Battery outages in an active tag can result in expensive misreads. 2.3 Application of RFIDs in healthcare Currently the application of RFIDs on human is still limited. Beth Israel Deaconess Medical Center is a Harvard teaching hospital located in Boston and there are two applications are running with passive RFID tags there right now [8]. The Beth Israel Deaconess Emergency Department is outfitted with passive RFID scanners to read implanted chips [5]. When a confused or unconscious patient who has implanted RFID
  4. 4. arrives, a medical record identifier could be obtained by scanning the implanted RFID. Then this identifier is used to retrieve the patient’s medical history that is stored in the hospital’s database. The RFID only plays the role of identification in this case, but authentication is not necessary, because the medical record always contains the patient’s basic information such as gender, age and race which can be used to have a quick check. Further more, the social and medical history contained in the record may also help to confirm the patient’s identity. In another sector of Beth Israel Deaconess Medical Center which is called Beth Israel Deaconess Neonatal Intensive Care Unit (UICU), babies are outfitted with RFID wristbands [5]. Nurses may scan a baby’s RFID wristband to identify his mother’s milk which is stored in NICU refrigerators. Additionally, RFID scanners are implanted in door frames to detect babies passing in and out of the UICU. Here RFID also doesn’t have function of authentication. The passive RFID, especially like implanted RFID already showed its potential of usages in healthcare field. Automated registration: Patients could be easily registered by scanning their RFID tags, and then related information, like demographics, insurance and medical history can be retrieved by clinicians in a short time. This definitely saves the regular time to fill in the normal clip board. Patient safety: Many hospitals use a system of stickers with Blood tests and medications. When some patients’ names are similar or even exactly the same, confusion may arise. If each patient is scanned as a blood sample is drawn, the sample can be tagged with accurate patient identifiers. Similarly, scanning patients prior to the delivery of medications can eliminate errors of identification. Patient tracking: Door-frame scanners or hand-held devices could be used to scan the patients who are moving in the hospital. Patient location information would empower work-flow enhancement. Besides passive RFID tags, active RFID tags are valuable in healthcare field. They can be used to track medical personnel and equipment such a patient beds. In Beth Israel Deaconess is currently using active tags to track equipment such as ventilators, IV pumps and EKG devices in the emergency department. The search times for such tracked devices have dropped to nearly zero [5]. 3 Background of VeriChip VeriChip Products are commercial products of VeriChip Corporation, using RFID tag technologies. Beyond just passive and active tags, it includes implantable, wearable and attachable form factors. With different form factors, VeriChip products are associated with different tag technologies and solutions. Implantable VeriChip products are utilizing the implantable, passive microchip, in their solutions for the purpose of automatic identification. Wearable VeriChip products refer to VeriChip Corporation’s selection of
  5. 5. active RFID tags that can be worn by an individual (usually on the wrist or leg). Attachable VeriChip products refer to VeriChip Corporation’s selection of active and passive RFID tags, such as the Asset Tag affixed to items [1]. The name of VeriChip, also called VeriChipTM, is especially used for Implantable VeriChip products. In this paper, VeriChip means the human implantable RFID microchip developed by VeriChip Corporation. It has the size twice as a grain of rice and the device is typically implanted above the triceps are of an individual’s right arm. Once inserted under the skin, via a quick, painless outpatient procedure, the VeriChip is invisible to the naked eye. Figure 1: VeriChip As a passive RFID tag, VeriChip operates at 134 kHz. When the tag is excited by a sufficiently strong magnetic field at that frequency, the circuitry on the chip powers up and responds a unique, 16-digit identifier over the air. The communication is a one way communication from tag to reader, which means the tag will not get any feedback from the reader. Therefore the tag continuously transmits its identifier until it is powered off. As mentioned above, the microchip contains a 16-digit ID which means 128 bits. Theoretically there could be 2128 unique VeriChip exiting in this world, however perhaps the number should be lower in practice. First, because the ID is “looped,” the reader knows the tag’s ID only up to a cyclic shift: there is no designated first or last bit in the bit stream that the VeriChip emits. It is thus necessary to assign some bits as a synchronization marker or to resolve this ambiguity through some other coding method. Second, it is likely that some of the bits in the VeriChip emission represent a checksum or some other error-detecting or –correcting code [5]. 4 Privacy and Security Along with the birth of VeriChip, the dispute regarding privacy and security comes into people’s sight. The dispute is focusing on two points. One is the safety of the information stored within VeriChip and another one is the tracking function of VeriChip. Privacy advocates treated RFID devices like VeriChip as spy-chips, worry potential abuse of such devices. Once these devices are used by governments, and then tracking of citizens and increasing any moves towards a police state are concerned [7]. Further more, the information stored in VeriChip can not be guaranteed against theft. Although VeriChip contains nothing more than a unique 16-digit identifier, this 16-digit identifier might be used to link the person to his privacy information what is stored in a database. Even the database is password protected, but the risk is always there to lead personal information leaking.
  6. 6. When anyone holds a VeriChip reader, he could directly read the information within VeriChip since the data is unencrypted and it does not have the functionality to authorize only certain people to read it [7]. Being a passive RFID microchip containing only a unique 16-digit identifier it can be read by a VeriChip reader held up closely to the location of the inserted chip. The VeriChip’s small size is its biggest security feature. The antenna inside the VeriChip is very small and therefore inefficient [5]. Consequently, the read range is rather limited. Only a powerful carrier can excite the tag, and the information-bearing signal that the tag returns is weak. Currently only health related information are stored in the database associated with the device, without any financial information or social security number. The information itself is controlled and directed by the subscriber. Specifically because it is technically possible to extract the information on a VeriChip, the chip contains only a nondescript 16-digit number. The one who possess a secure logon participating medical facilities may access the associated personal health record of a subscriber with his 16-digit identifier. Of course, a record is made every time anybody logs on and accesses a subscriber's record [7]. 5 VeriChip Cloning An implanted VeriChip was cloned in 2006 as a demonstration by Jonathan Westhues [7]. In literature [5], cloning experiments on VeriChip are introduced in detail. For those experiments the “proxmarkii” generalized RFID tag reader/cloner is used. Proxmarkii could be used to replay the stored VeriChip IDs to readers. Proxmarkii is an RFID reading and simulation device developed by Westhues, who used an earlier version to demonstrate cloning attacks against proximity cards [9, 10]. It is especially designed for research purposes and could handle a large variety of formats for the signal over the air. It is also capable of simulating any kind of low-frequency RFID tag [5, 9]. Westhues was using reverse engineering in principle to carry out these experiments with his colleagues. Once a VeriChip is activated, it will continuously and repeatedly send out its ID with periodic signal, until the external power is off. The period of the returned signal could be determined by doing a quick autocorrelation. For signal processing, the trace could be saved and done in proxmarkii software, which may also be instead of by MATLAB. In figure 2 [12], it shows that the period is 2048 samples (which, sampling every other carrier clock, is 4096 carrier clocks).
  7. 7. Figure 2: VeriChip signal processing trace (autocorrelation) Autocorrelation is a mathematical tool for finding repeating patterns, such as the presence of a periodic signal which has been buried under noise, or identifying the missing fundamental frequency in a signal implied by its harmonic frequencies. It is used frequently in signal processing for analyzing functions or series of values, such as time domain signals. Informally, it is the similarity between observations as a function of the time separation between them. More precisely, it is the cross- correlation of a signal with itself [11]. By looking at the graph of the signal received from the tag (see figure 3 [12]), it is able to determine that each bit is emitted over an interval of 32 clock cycles. Figure 3: VeriChip doing demod So it is not hard to conclude that length of the ID = 4096/32 = 128 bits Jonathan Westhues guesses that the ID is transmitted using Manchester-coded Amplitude-Shift Keying (ASK), otherwise that might be weird. For now, that is also possible to get the mapping between the tag’s ID and the signal sent over the air if more time is spent. However it is not necessary in these experiments [12]. There are two un-implanted and one implanted VeriChip tags are studied. Only 32 bits of the total 128 bits transmitted value displays difference. These 32 bits are separated into
  8. 8. two 16-bit sections surrounded by bit patterns that most probably synchronize the reader. It is possible that some of the other bits in the signal also transmit ID data, but the 128-bit tag IDs observed contain mostly 0’s. Because the samples are quite limited, accurate conclusion can not be made. But it is likely some bits are a checksum. Actually a VeriChip tag always transmits the same signal, so cloning a VeriChip is just a matter of determining the signal and building a device that mimics that signal. It is not necessary to get to know the details of the structure of the tags’ ID. If the specifications for the VeriChip were known, then it would be possible to perform the “read” portion of the cloning using a commercial off-the-shelf reader. People could then take the ID that the reader provides, and map it back on to a signal over the air, according to the specification [5]. Another issue is the start time point of the signal. When cloning a tag, then it is arbitrary which point in the signal designated as t = 0. The ID just loops, so the signal over the air is unaffected [12]. In the experiments, the received signal is re-modulated and downloaded to proxmarkii. Putting proxmarkii in “simulate” mode, it is now indistinguishable from the legitimate tag [12]. Figure 4: Reader display from the signal emitted by proxmarkii The basic cloning is completed here. There are two kinds of attacks relevant against the VeriChip. They are replay attack and existential cloning attack and we are going introduce them next. 5.1 Replay attack For replay attack, the signal from the target VeriChip is simply captured and re- transmitted to a reader. The complexity of the attack results only from the engineering details of the communications link over the air. A replay attack could be treated as full- blown cloning, since the VeriChip emits a static identifier. The harvested signal may be replayed indefinitely while appearing valid to a reader [5]. The cause of replay attack against VeriChip is due to the design. In principle, if the VeriChip modify its emitted ID over time, then it could prevent replay attacks or render replay attacks less effective. Of course, in this case, more additional resources are needed in the tag. A VeriChip that transmits unidirectional signal cannot prevent replay
  9. 9. attacks. Another side, tags that execute bidirectional protocols such as challenge-response algorithms can defend against replay attacks effectively [5]. 5.2 Existential cloning attack According to the experiment studying results in [5], it shows a threat of existential cloning clearly. The IDs in the three VeriChips studied appears very likely come from a small identifier space. Except the first four digits (“1022” in decimal) which appear to be a fixed header value, all three decimal IDs are integers less than 50,000. Therefore it is conceivable that VeriChip emerge from production process that assigns sequential or otherwise non-random serial numbers to chips [5]. As mentioned previous, in those experiments, there are 32 bits whose values varies among the over-the-air signals of the three tags. Based on the educated guess of the experimentalist, it says that 16 to 24 of these bits encode ID values while the remaining 8 to 16 bits encode a checksum of some kind. If the checksum is not keyed, then it would be rather easy to perform existential forgery with some additional work. Another side, if the checksum is keyed, for example it depends on a secret key shared among VeriChip readers, then existential forgery would be more difficult [5]. In this case, an attacker has to compute the correct checksum for a given ID by following steps below [5]: 1) Extract the secret key from a reader by means of reverse engineering or tampering 2) Determine the secret key by means of cryptanalysis Or 3) Guess random checksums and test them against a valid reader or reader component If an attacker would apply existential cloning attack, then it is a serious problem. We could image that once an attacker get one ID, then after observation he could probably guess other IDs for the same usage purposes. In order to minimize the risks of existential forgery, the assignment of random VeriChip IDs over a large enough space would an efficient solution. 6 Conclusions and further work It is rather not hard to conclude that VeriChip is only applicable for identification, but not for authentication. Since the vulnerability of the VeriChip is quite obvious, even it can not against basic and simple cloning attacks, it is unadvisable and dangerous to apply VeriChip for security systems such as payment systems and physical access systems. Attackers with little resources could easily clone VeriChip, and then implement replay attacks and existential cloning attacks in worse cases. We also discussed privacy and security concerns involved with VeriChip. In order to reduce the privacy issues, there is a design for an implantable RFID tag proposed in [5] and it is given a name called iChip. An iChip emits an identifier through a simple
  10. 10. cryptographic scheme that helps protect privacy but at the same time expressly enables straightforward cloning [5]. We definitely believe VeriChip has broad applications in people’s daily life in future. In order to get wider usage, it is necessary to add extra functionality to VeriChip tags, especially for security reasons. At the same time, more resources and memory are needed too. References 1. VeriChip corporation web site. Referenced June 1, 2008 at 2. Rapid adoption of RFID in healthcare. Referenced June 3, 2008 at 3. Passive RFID tag. Referenced June 3, 2008 at Article.asp?ArtNum=47 4. Active RFID tag. Referenced June 3, 2008 at Article.asp?ArtNum=21 5. J. Halamka, A. Juels, A. Stubblefield, and J. Westhues. The Security Implications of VeriChip Cloning. Manuscript in submission, March 2006 6. Radio Frequency Identification (RFID) Vs Barcodes. Referenced June 3, 2008 at 7. VeriChip. Referenced June 1, 2008 at 8. J. Halamka. Straight from the shoulder. The New England Journal of Medicine, 353:331–333, 28 July 2005. 9. J. Westhues. Proxmarkii description, 2006. Referenced June 10, 2008 at 10. J. Westhues. Hacking the prox card. In S. Garfinkel and B. Rosenberg, editors, RFID: Applications, Security, and Privacy, pages 291–300. Addison-Wesley, 2005. 11. Autocorrelation. Referenced June 10, 2008 at 12. J. Westhues. Demo: Cloning a VeriChip, 2006. Referenced June 10, 2008 at 13. Access Control and Security System. Referenced June 11, 2008 at 14. J. Scheeres. Tracking junior with a microchip. Wired News, 10 October 2003. Referenced June 11, 2008 at,1282,60771,00.html 15. VeriPay. Referenced June 11, 2008 at News.asp?NewsNum=20