Cloning a Verichip and Other RFID Fun

Dale Thompson from the University of Arkansas spoke about RFIDs (surprisingly, many of the talks are tutorial in nature, which I hadn't suspected would be the case). He mentioned Verichip, which is an RFID device the size of a grain of rice that is certified for implanting in humans.

I had heard of Verichip, but was curious. Of course, the obvious question is how secure is such a device. The answer appears to be "not very." Jonathan Westhues has a detailed Web site describing how to clone the data on the chip. He also has an easy do-it-yourself version for the curious.

Annalee Newitz wrote an article last May in Wired Magazine about RFID hacking. The article starts with a story about someone who steals RFID data for real:

James Van Bokkelen is about to be robbed. A wealthy software entrepreneur, Van Bokkelen will be the latest victim of some punk with a laptop. But this won't be an email scam or bank account hack. A skinny 23-year-old named Jonathan Westhues plans to use a cheap, homemade USB device to swipe the office key out of Van Bokkelen's back pocket.

"I just need to bump into James and get my hand within a few inches of him," Westhues says. We're shivering in the early spring air outside the offices of Sandstorm, the Internet security company Van Bokkelen runs north of Boston. As Van Bokkelen approaches from the parking lot, Westhues brushes past him. A coil of copper wire flashes briefly in Westhues' palm, then disappears.

Van Bokkelen enters the building, and Westhues returns to me. "Let's see if I've got his keys," he says, meaning the signal from Van Bokkelen's smartcard badge. The card contains an RFID sensor chip, which emits a short burst of radio waves when activated by the reader next to Sandstorm's door. If the signal translates into an authorized ID number, the door unlocks.

The coil in Westhues' hand is the antenna for the wallet-sized device he calls a cloner, which is currently shoved up his sleeve. The cloner can elicit, record, and mimic signals from smartcard RFID chips. Westhues takes out the device and, using a USB cable, connects it to his laptop and downloads the data from Van Bokkelen's card for processing. Then, satisfied that he has retrieved the code, Westhues switches the cloner from Record mode to Emit. We head to the locked door.

"Want me to let you in?" Westhues asks. I nod.

He waves the cloner's antenna in front of a black box attached to the wall. The single red LED blinks green. The lock clicks. We walk in and find Van Bokkelen waiting.

"See? I just broke into your office!" Westhues says gleefully. "It's so simple." Van Bokkelen, who arranged the robbery "just to see how it works," stares at the antenna in Westhues' hand. He knows that Westhues could have performed his wireless pickpocket maneuver and then returned with the cloner after hours. Westhues could have walked off with tens of thousands of dollars' worth of computer equipment - and possibly source code worth even more. Van Bokkelen mutters, "I always thought this might be a lousy security system."
From Wired 14.05: The RFID Hacking Underground
Referenced Wed Feb 21 2007 10:35:56 GMT-0600

Dale mentioned RFDUMP, a tool for detecting RFID-Tags and showing their meta information. Lukas Grunwald, RFDUMP's creator says it's not hacking. Bruce Schneier, quoted in a ComputerWorld article, agrees:

"[Grunwald] is doing what RFID is supposed to do," said security author and Counterpane Internet Security Inc. Chief Technology Officer Bruce Schneier. "This is serious. He didn't hack anything. RFID technology originally was designed to be completely open; that's its problem. He went to the spec, read it and followed it. If you query the chip, you will get this info. If there were security countermeasures on the chip that were thwarted, then we could talk about hacking."
From Securing RFID information
Referenced Wed Feb 21 2007 10:41:15 GMT-0600

Tracking packages, no problem. BYU has used RFID devices for access to the parking lots for several years now. Not too many security issues there. Repurposing the technology for access control doesn't seem like too smart an idea at this point. Let's not even get started on passports...