backtop


Print 19 comment(s) - last by mindless1.. on Sep 10 at 4:27 PM


Verayo claims its new chips are hack-proof. This claim has been questioned. Verayo's chips are active RFID and thus differ from the more hackable passive RFID.  (Source: Verayo)
A new "electronic DNA" approach claims to safeguard RFID -- but can it work as well as it claims?

RFID chips were one of the hottest emerging technologies of 2007 and 2008.  Top retailer Wal-Mart started using them in its shipping and people even began to implant themselves with RFID chips, despite cancer concerns.  The idea of instant identification seemed wonderful as it could make everything from work security to identifying a package much easier. 

However, hackers reprogrammed chips to gain access to RFID-controlled subways using techniques such as "cloning" -- swiping info from a legitimate chip and copying it to another.  MythBusters even jumped into the fray and said they were going to do an episode on how hackable the format was -- until they were advised that was an unwise legal move and recanted on their previous assertions.

Now amid the newfound concerns about RFID, a Palo Alto, Ca. startup is claiming to have an unbreakable RFID protection scheme.  Verayo Inc. is a newcomer to the business, only being in existence since 2005.  It was founded based on the research work of MIT Prof. Srini Devadas and his team.  Former Microsoft employee Tom Ziola cofounded the company.

The new allegedly "unhackable" chips use active RFID, slightly different from passive RFID.  As these chips require power, their applications might be slightly more limited and they would likely be more expensive.  The active chips use so-called "electronic DNA".  The key to their behavior is the technology Physical Unclonable Functions (PUF), developed at MIT.

Details on PUF can be found in an IEEE journal paper here (PDF).  Basically PUF takes inputs -- challenges -- and subjects them to unique logic to determine an output signal.  The input/output challenge and response pair is then compared over the internet against a database of pairs for valid chips.  The makers claim the new tech to be impervious as even if hackers stole an input/output pair, the information would be useless as the next time the chip would be prompted with a different question.

While the approach certainly seems more secure than traditional passive RFID, it might be premature to call it unbreakable.  As Gizmodo points out, one vulnerability is if the database was compromised and someone stole all the 64-bit challenge-response pairs.  Another relatively obvious possibility is that if the algorithms or production methods to manufacture the hardware and imprint any unique software were leaked, these could be used to build fake chips, which could likely process challenges and give the correct responses.

Nonetheless, despite the questionable nature of its claims, Verayo is making a splash in the RFID industry.  According to the company's online profile it has multiple contracts and a "deep" relationship with the U.S. Department of Defense, which is funding the development of the tech.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

oh dear
By spuddyt on 9/9/2008 10:39:02 AM , Rating: 3
this is going to be as unhackable as the titanic was unsinkable....




RE: oh dear
By Mitch101 on 9/9/2008 12:10:32 PM , Rating: 2
You can always tell when school starts around the world.

They makes these un-hackable announcements around that time. Remember Blu-Ray unhackable comments?

This way its fairly safe until school lets out and some 14 year old Russian kid with nothing to do breaks it over a weekend.


RE: oh dear
By Solandri on 9/9/2008 5:09:00 PM , Rating: 2
This is very different from blu-ray/DVD where you're encrypting all the data with a key, and all you need to decrypt it is to get the ky. Here you're not encrypting the data (the ID) at all. The unclonable part is acting like a one-time pad for challenge-response pairs. Essentially it's like the scanner queries a random area of this one-time pad (challenge), the RFID tells what's written in that random area (response), and the scanner verifies the result against an identical one-time pad stored on a server somewhere.

Since each scan can query a different area of the pad, the only way to clone it is to copy the entire thing. And the only way to realistically do that is to open it up to copy it directly, and even then it'd be difficult if not impossible to make an equivalent-sized RFID with the same one-time pad). The weaker link would indeed appear to be the server and the connection to it, not the clonability of the RFID.


"Spreading the rumors, it's very easy because the people who write about Apple want that story, and you can claim its credible because you spoke to someone at Apple." -- Investment guru Jim Cramer














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki