Friday, February 09, 2007
Dr. Ari Juels speaks explains why RFIDs may be good for identification but not authentication purposes.
Several years ago, I gave a talk at a local university on biometric authentication--the security applications of fingerprint recognition, iris scanning, and so forth. A faculty member approached me afterward to ask why I was bothering. After all, wouldn't we all be surgically implanted with digital authentication devices in the not-too-distant future?
I laughed at the idea of "prosthetic biometrics." Gently, I hope. Today a company called VeriChip conducted an initial public offering. VeriChip sells small, encapsulated microchips (RFID tags) that transmit unique serial numbers over short distances via radio—surgically implantable authentication devices, in fact.
Dogs and cats have been regularly implanted with RFID tags for years. That beta test, if you will, has been has largely successful: Many shelters are equipped to scan RFID tags in animals lacking other identification, and many pets and owners owe their happy reunification to the devices. Medical technologies, however, are like pharmaceuticals: They do not always translate well from one species to another. While VeriChip-like RFID may be purely beneficial for animals, the ramifications of implanting wireless dog tags in human beings are much broader.
VeriChip Corporation proposes the identification of "John Doe" patients as one application for its technology. The VeriChips of disoriented or unconscious patients lacking identifying documents may enable hospitals to glean life-critical information. That application has indisputable value.
Another emerging application of the VeriChip, however, is authentication—physical access control, in particular. The Attorney General of Mexico and his staff, for instance, underwent implantation of VeriChips as a means of access to a secure facility. The media have reported a few other small-scale but lurid deployments of VeriChips as subdermal building-access cards. On its Web site, VeriChip Corporation today touts the use of its technology for "access control" and "tracking of visitors."
At first blush, VeriChips may seem like excellent security devices. Unlike badges, they cannot be lost; and they create a new form of automated digital security. But what kind of digital security mechanisms do VeriChips incorporate? What kind of cryptographic functionality, for instance?
The answer appears to be none. Some colleagues and I recently published a paper in the Journal of the American Medical Informatics Association (JAMIA) determining that, in all probability, VeriChips are effectively no more than wireless barcodes. Just as barcodes can be photocopied, a VeriChip can be scanned by an attacker (in close proximity) with an inexpensive device that can replay the signal and spoof VeriChip readers. (Jonathan Westhues has performed experiments demonstrating this attack.)
The JAMIA paper concluded that ultimately--and paradoxically--vulnerability to cloning is probably good for VeriChip bearers. If VeriChips provided strong security, then they would be a high-value target for thieves or other malefactors. Having a building access card or ATM card stolen is a nuisance. The theft of a VeriChip would be a grisly affair. (Conventional biometrics, like fingerprints, can introduce similar problems, but biometric scanners can in principle check for "liveness.") We can only hope that the vulnerability of VeriChips to cloning will remove the temptation to deploy VeriChips as security devices--or at least allow attackers to clone VeriChips, rather than part them from their owners.
VeriChip Corporation responded to the cloning risk highlighted in the JAMIA paper with the comment that, "[The VeriChip] is meant to enhance current [security] measures rather than to replace them... experts always recommend having at least two means of identification to enter secured locations." For the same reason, parachutists carry two parachutes. But if one parachute has a serious, known defect, you're ill-advised to jump.
The VeriChip is perhaps most significant as a harbinger of mounting convergence between medical implants and digital security. In implants we cannot afford the often sloppy security that bedevils mainstream computing devices. When you learn that an attacker has broken into your PC or online bank account, your heart may skip a beat. If someone maliciously reprograms your pacemaker, you may have little time to indulge in regrets.