RFID chips were one of the hottest emerging technologies of 2007 and 2008. Top retailer Wal-Mart started using them in its shipping and people even began to implant themselves with RFID chips, despite cancer concerns. The idea of instant identification seemed wonderful as it could make everything from work security to identifying a package much easier.
However, hackers reprogrammed chips to gain access to RFID-controlled subways using techniques such as "cloning" -- swiping info from a legitimate chip and copying it to another. MythBusters even jumped into the fray and said they were going to do an episode on how hackable the format was -- until they were advised that was an unwise legal move and recanted on their previous assertions.
Now amid the newfound concerns about RFID, a Palo Alto, Ca. startup is claiming to have an unbreakable RFID protection scheme. Verayo Inc. is a newcomer to the business, only being in existence since 2005. It was founded based on the research work of MIT Prof. Srini Devadas and his team. Former Microsoft employee Tom Ziola cofounded the company.
The new allegedly "unhackable" chips use active RFID, slightly different from passive RFID. As these chips require power, their applications might be slightly more limited and they would likely be more expensive. The active chips use so-called "electronic DNA". The key to their behavior is the technology Physical Unclonable Functions (PUF), developed at MIT.
Details on PUF can be found in an IEEE journal paper here (PDF). Basically PUF takes inputs -- challenges -- and subjects them to unique logic to determine an output signal. The input/output challenge and response pair is then compared over the internet against a database of pairs for valid chips. The makers claim the new tech to be impervious as even if hackers stole an input/output pair, the information would be useless as the next time the chip would be prompted with a different question.
While the approach certainly seems more secure than traditional passive RFID, it might be premature to call it unbreakable. As Gizmodo points out, one vulnerability is if the database was compromised and someone stole all the 64-bit challenge-response pairs. Another relatively obvious possibility is that if the algorithms or production methods to manufacture the hardware and imprint any unique software were leaked, these could be used to build fake chips, which could likely process challenges and give the correct responses.
Nonetheless, despite the questionable nature of its claims, Verayo is making a splash in the RFID industry. According to the company's online profile it has multiple contracts and a "deep" relationship with the U.S. Department of Defense, which is funding the development of the tech.