backtop


Print 19 comment(s) - last by mindless1.. on Sep 10 at 4:27 PM


Verayo claims its new chips are hack-proof. This claim has been questioned. Verayo's chips are active RFID and thus differ from the more hackable passive RFID.  (Source: Verayo)
A new "electronic DNA" approach claims to safeguard RFID -- but can it work as well as it claims?

RFID chips were one of the hottest emerging technologies of 2007 and 2008.  Top retailer Wal-Mart started using them in its shipping and people even began to implant themselves with RFID chips, despite cancer concerns.  The idea of instant identification seemed wonderful as it could make everything from work security to identifying a package much easier. 

However, hackers reprogrammed chips to gain access to RFID-controlled subways using techniques such as "cloning" -- swiping info from a legitimate chip and copying it to another.  MythBusters even jumped into the fray and said they were going to do an episode on how hackable the format was -- until they were advised that was an unwise legal move and recanted on their previous assertions.

Now amid the newfound concerns about RFID, a Palo Alto, Ca. startup is claiming to have an unbreakable RFID protection scheme.  Verayo Inc. is a newcomer to the business, only being in existence since 2005.  It was founded based on the research work of MIT Prof. Srini Devadas and his team.  Former Microsoft employee Tom Ziola cofounded the company.

The new allegedly "unhackable" chips use active RFID, slightly different from passive RFID.  As these chips require power, their applications might be slightly more limited and they would likely be more expensive.  The active chips use so-called "electronic DNA".  The key to their behavior is the technology Physical Unclonable Functions (PUF), developed at MIT.

Details on PUF can be found in an IEEE journal paper here (PDF).  Basically PUF takes inputs -- challenges -- and subjects them to unique logic to determine an output signal.  The input/output challenge and response pair is then compared over the internet against a database of pairs for valid chips.  The makers claim the new tech to be impervious as even if hackers stole an input/output pair, the information would be useless as the next time the chip would be prompted with a different question.

While the approach certainly seems more secure than traditional passive RFID, it might be premature to call it unbreakable.  As Gizmodo points out, one vulnerability is if the database was compromised and someone stole all the 64-bit challenge-response pairs.  Another relatively obvious possibility is that if the algorithms or production methods to manufacture the hardware and imprint any unique software were leaked, these could be used to build fake chips, which could likely process challenges and give the correct responses.

Nonetheless, despite the questionable nature of its claims, Verayo is making a splash in the RFID industry.  According to the company's online profile it has multiple contracts and a "deep" relationship with the U.S. Department of Defense, which is funding the development of the tech.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Haha
By mdogs444 on 9/9/2008 9:04:42 AM , Rating: 2
quote:
Top retailer Walmart started using them in its shipping and people even began to implant themselves with RFID chips,


Sucks to be the people who have implanted themselves with hackable RFID chips. Talk about making yourself accessible from anywhere.




RE: Haha
By Mitch101 on 9/9/2008 9:21:50 AM , Rating: 2
Sucks for me to be you and you to be me.


RE: Haha
By diazsraul on 9/9/2008 9:24:29 AM , Rating: 3
We’ve already been tracked for years. Just leave your cell phone on and big brother knows where you are.


RE: Haha
By FITCamaro on 9/9/2008 9:37:48 AM , Rating: 1
Personally I don't care. It's not like that technology is only useful to the government if they were trying to track you. It's useful for emergency services as well. And for police tracking a criminal.


RE: Haha
By mdogs444 on 9/9/2008 9:38:05 AM , Rating: 2
They track the phone, not the person. No way to know for sure who exactly is carrying it.

But its more for emergency purposes in case you call 911 and don't know where you are, they can use triangulation.


RE: Haha
By Misty Dingos on 9/9/2008 9:38:28 AM , Rating: 5
I am not sure what advantage it would be to anyone to have one of these things shoved into their hides.

No I am not thumping bibles here. But the arguments I hear for it are all about some vaunted convenience for these people.

"You will be more secure." Why because I have some gadget stuck under my hide? There has never been any computer technology that hasn't circumvented or bypassed.

"You will be more identifiable." Widespread use of these things will destroy the dating scene. And no I don’t think the government is out to get me. And honestly I think I am “identifiable” enough as it is.

“It will help us identify murder victims.” I love this one. Most murder victims are easily identified. The few that are not are often the victims of someone that thought about killing them and took some pains to that effort. How much more work is it to remove the RFID?

"You can link it to your bank account and never have to carry a credit card or cash again." You know what all the women in the world I have ever met will tell you that even if you stuff one of these things under their skin it will not reduce the weight of their purses on ounce or gram. And you will still be a target for violence. All it will take is to remove your RFID and use it themselves. Criminals are not nice people and they won’t care if it hurts you.

The only thing I see happening with the use of human implantable RFIDs is removal services.


RE: Haha
By Seemonkeyscanfly on 9/9/2008 6:53:59 PM , Rating: 2
power it by the human body. Therefor if it is removed from the body, it will run one last command...Delete everything. Then fry itself, making it useless to the criminal.


RE: Haha
By Etsp on 9/9/2008 9:01:11 PM , Rating: 2
No, leave the name of the person in tact, but delete everything else, and flag it so that it cannot be used to identify anyone for any other reason than criminal investigation. That would cause it to lose all value to the hacker, without destroying evidence.


oh dear
By spuddyt on 9/9/2008 10:39:02 AM , Rating: 3
this is going to be as unhackable as the titanic was unsinkable....




RE: oh dear
By Mitch101 on 9/9/2008 12:10:32 PM , Rating: 2
You can always tell when school starts around the world.

They makes these un-hackable announcements around that time. Remember Blu-Ray unhackable comments?

This way its fairly safe until school lets out and some 14 year old Russian kid with nothing to do breaks it over a weekend.


RE: oh dear
By Solandri on 9/9/2008 5:09:00 PM , Rating: 2
This is very different from blu-ray/DVD where you're encrypting all the data with a key, and all you need to decrypt it is to get the ky. Here you're not encrypting the data (the ID) at all. The unclonable part is acting like a one-time pad for challenge-response pairs. Essentially it's like the scanner queries a random area of this one-time pad (challenge), the RFID tells what's written in that random area (response), and the scanner verifies the result against an identical one-time pad stored on a server somewhere.

Since each scan can query a different area of the pad, the only way to clone it is to copy the entire thing. And the only way to realistically do that is to open it up to copy it directly, and even then it'd be difficult if not impossible to make an equivalent-sized RFID with the same one-time pad). The weaker link would indeed appear to be the server and the connection to it, not the clonability of the RFID.


then compared over the internet
By tastyratz on 9/9/2008 10:15:15 AM , Rating: 2
quote:
then compared over the internet

There you go. It might as well be considered hacked before it hits the ground.

At least calling it uncloneable will challenge the hackers to crack it sooner though




RE: then compared over the internet
By piroroadkill on 9/9/2008 10:17:59 AM , Rating: 1
No doubt. What's to stop you from setting up a fake network/local dns server with the correct entries, intercepting the traffic, and replying to the RFID chip "sure, shit yeah, let this guy in", regardless of the information sent


By GaryJohnson on 9/9/2008 2:13:16 PM , Rating: 2
You'd have to know what the correct entries are.


Usefullness?
By HighWing on 9/9/2008 12:40:09 PM , Rating: 2
quote:
The new allegedly "unhackable" chips use active RFID, slightly different from passive RFID. As these chips require power,


Now maybe I'm way ofbase here, but I could swear that one of the major selling points of using RFID was that fact that the chips did "not" need power? Thus they could be put into things like passports and such. So while maybe making them "unhackable" by requiring a battery may seem like good idea. I fail to see how that would make this form of RFID any different then any other type of remote authentication device that requires a battery?

quote:
their applications might be slightly more limited
which to me seems to make this an upgrade that completly takes away the whole selling point of the device in the first place.




RE: Usefullness?
By foolsgambit11 on 9/10/2008 2:40:50 PM , Rating: 2
That's exactly what I was thinking. Unless they come up with a micro-renewable power source. Then it could charge itself. But I doubt it.


What about snooping?
By foolsgambit11 on 9/10/2008 3:00:55 PM , Rating: 2
Wouldn't it be sufficient to query an RFID 2^64 times, with each possible query, and essentially 'map' the response appropriate to that RFID, then clone the valid responses? You might not be able to fit it on an RFID yourself, but I think this would work with any single RFID. There's just that thing where you'd have to query 18 quintillion responses, or nearly 600 billion responses per second for an entire year. If you have a year with an RFID, though, I guess you probably don't need to clone it. Plus, I doubt the response time is in the range of a picosecond.

But wait.... their site says this process relies on manufacturing variances, and as such, the responses can't be predicted in advance. So they'd have to query the chip themselves 2^64 times to get the full response list. So it must be able to be done relatively quickly, or there may be shortcuts they use that can be exploited, limiting the unique challenge/response list. Not to mention the ridiculous database they'd have to maintain.

This just doesn't seem to me like a technology that could be implemented cheaply, which was one of the advantages of passive RFIDs (along with not needing a power source).




Brilliant
By mindless1 on 9/10/2008 4:27:21 PM , Rating: 2
Let's base the whole thing on having to send data over the internet so any hacker can completely shut down operations with an external attack.




Premptive strike!
By icanhascpu on 9/9/2008 1:27:43 PM , Rating: 1
I'm waiting for X tech has been hacked story to come out before the story about new and great X tech.

When will they learn? The only thing this shit is advanceing is the annoyance of paying customers.




"A lot of people pay zero for the cellphone ... That's what it's worth." -- Apple Chief Operating Officer Timothy Cook














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki