Security Watch | Matt Hines » Human implant RFID gets owned

March 25, 2007 | Comments: (0)

Human implant RFID gets owned

TAGS: Security

Radio frequency identification tags have taken another hit from the security community and Adam Laurie -- an independent security researcher based in the U.K. -- can claim another first.

After setting off a torrent of worldwide media coverage by hacking the U.K.'s new RFID-enabled passports in a project sponsored by and first detailed by the Daily Mail newspaper earlier his month, Laurie used his presentation at the ongoing ShmooCon confab to show off techniques for hacking other RFID tags -- including one implanted inside a live human being.

After cracking the codes for a common RFID identification card and an RFID tag that would be found inside livestock, Laurie called up a volunteer from the audience who had a chip injected under their skin -- and who used the device among other things to unlock his laptop PC.

After a few minutes of wrangling with his RFID cloning device -- the same type of homemade utensil that researchers were planning to show off at the Black Hat DC conference earlier this month before ID card maker HID sufficiently intimidated researchers from IOActive against demonstrating their cloning reader -- Laurie opened the chip-wearing individual's laptop (and displayed his internal pass key to the entire audience, he better hope he can reset it).

In addition to proving further just how easily RFID tags can be hacked, Laurie effectively illustrated evidence of the type of dangers privacy advocates have cited in battling efforts to plant chips in humans (such as in the case of a Calif. School district that wanted to pin RFIDs on all its students).

If someone can hack the data on such chips, he said, it's logical to believe that someone wearing one could be tracked using the same information.

And, as evidenced by his ability to read information from the U.K. passports while the documents were still sealed in their envelopes, it is already possible to gather enough information to clone individual RFID codes without gaining physical access to the chips themselves.

Interestingly, an employee of HID attended the presentation and identified themselves publicly when Laurie asked if anyone from the vendor was present. Laurie did not indicate if the ID card he hacked was made by the vendor, but that had been the plan of IOActive researcher Chris Paget before he scaled back the Black Hat demonstration (see video of the IOActive-HID hack here)

Something tells me that the sound you're hearing is the nascent market for human implantable RFID chips grinding to a halt.

Posted by Matt Hines on March 25, 2007 09:23 AM

RATE THIS ARTICLE: