$this->articleCE->primaryUrlById(3582971) = /security/article.php/3582971/The+New+Chiperati.htm
The New Chip-erati - InternetNews.
RealTime IT News

The New Chip-erati

Artists and hackers have begun implanting RFID chips under their skin. It's a cool way to play with technology. Will it lead to a system of universal implanted ID?

Facial piercings and full-body tattoos used to be signifiers for those who saw themselves as social outlaws. Now, bank tellers and high school kids have pierced lips and inked skin. Today a few cutting-edge nerds sport chips under their skin, a melding of technological experimentation and body modification. Will the mainstream follow them?

Annalee Newitz got "chipped" as research for an article she's writing for "Wired" magazine about RFID security. And Jonathan Westhues hacked and copied its code.

Newitz had an RFID tag made by VeriChip implanted under her skin. The chip emits a unique string of numbers when it comes near an RFID reader. RFID chips are used in industry to track pallets and cases of goods, as well as for opening security gates and doors.

Westhues was able to read and copy her chip in around two hours, using a simple reader about the size of an MP3 player, with an antenna about five inches long. Once Westhues cloned the chip, he'd be able to use it for anything Newitz used it for. If she were using the chip to unlock her front door -- or the door to the biohazard lab -- Westhues, if he was a bad guy instead of a hardware and software designer, would be able to do some damage.

Westhues' quick cloning of Newitz's chip gives the lie to sunny views of RFID security.

"What I wanted to do was show that while VeriChip claims that their chips can't be counterfeited, indeed they can be counterfeited as easily as any other chip, particularly ones that have no security at all, which this one doesn't," she said.

The RFID industry points out that the random digits emitted by RFID tags are meaningless unless they're matched to information stored in the encrypted database that's part of industrial systems.

But Liz McIntyre, an anti-RFID activist believes that VeriChip is only an initial step toward universal chipping. In "Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID," McIntyre and co-author Katherine Albrecht lay out a scenario in which RFID information from retail systems could be merged with that from identification systems including electronic passports to create a very complete picture of a citizen's habits.

The Department of Homeland Security began a live test of e-passports at San Francisco International Airport on January 15. There were two earlier tests, at Los Angeles International Airport and Sydney Airport.

The Electronic Privacy Information Clearinghouse recommended a ban on chipping people, and, along with the American Civil Liberties Union and other consumer advocacy groups, has urged the U.S. government to halt the development of passports with RFID chips.

But industry is moving faster along a parallel track.

In October 2004, VeriChip got clearance from the FDA for implanting its chip in human beings. VeriChip is a subsidiary of Applied Digital . It registered for an initial public offering in December 2005.

Applied Digital spokesman John Proctor said that VeriChip is focusing on medical applications. Some 68 hospitals in the United States have signed onto the VeriMed service, which combines chips, readers and a database. Most still are developing emergency room protocols in which staff scan for chips, but Hackensack University Hospital has the system up and running.

In the VeriMed system, if someone cloned a chip in order to access that individual's medical history, he'd have to get access to the emergency room scanner and be supplied with a password for the system.

"There are similar security measures to those of online banking," Proctor said.

But slamming down the Chivas at Baja Beach Club on somebody else's tab would be a snap.

"[Westhues] had to actually touch my arm in order to do the read," Newitz said. "But the company mandates that the chips will be implanted in exactly the same place, on the back of your right upper arm. Anyone who knows that can easily bump into you in an elevator and get the read. It's as easy as picking someone's pocket: It requires the same amount of proximity for the same amount of time."

Proctor said there are approximately 2,000 people worldwide with implanted VeriChips; in the United States, 68 people have VeriMed chips. In February, internetnews.com interviewed Joseph Krull, a security executive with Virtual Corporation who let VeriChip tag him as a demonstration.

Other high-profile human implants include the attorney general of Mexico Rafael Macedo de la Concha (along with 16 Mexican security officials), and John Halamka, the CIO of Harvard Medical School.

That leaves a lot of people buying mojitos by waving their arms near an RFID reader.

Some experts think there may be an RFID privacy gap developing, as market penetration moves faster than policy.

Newitz said that people in the technology underground have begun implanting themselves in order to appropriate the technology.

" This is one way people can say, 'No you're not going to do this to me, I'll do it for myself and figure out what it does and seize more control over it.'"

While do-it-yourself chippers would probably be the last ones to submit to government-mandated implantation, McIntyre said, they act as a sort of cadre of cool.

"What they're doing is moving that [government] agenda forward in a way," she said. "They're removing the mental barrier of having something foreign implanted in your body that's emitting a unique number. It has this cool factor, especially since they're being installed in tattoo parlors."

Today, a hip chip. Tomorrow, the Mark of the Beast?