Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

RFID Injection Required for Datacenter Access 551

Posted by Zonk
from the one-way-to-make-sure-we're-working dept.
user24 writes "Security focus reports that RFID injections are now required for access to the datacenter of a Cincinnati company. From the article 'In the past, employees accessed the room with an RFID tag which hung from their keychains, however under the new regulations an implantable, glass encapsulated RFID tag from VeriChip must be injected into the bicep to gain access ... although the company does not require the microchips be implanted to maintain employment.'"
This discussion has been archived. No new comments can be posted.

RFID Injection Required for Datacenter Access

Comments Filter:
  • From TFA (Score:1, Informative)

    by daverabbitz (468967) on Saturday February 11, 2006 @10:32PM (#14697784) Homepage
    ompany requires RFID injection
    Published: 2006-02-10

    Click here for Core Impact!
    Two employees have been injected with RFID chips this week as part of a new requirement to access their company's datacenter.

    Cincinnati based surveillance company CityWatcher.com created the policy with the hopes of increasing security in the datacenter where video surveillance tapes are stored. In the past, employees accessed the room with an RFID tag which hung from their keychains, however under the new regulations an implantable, glass encapsulated RFID tag from VeriChip must be injected into the bicep to gain access, a release from spychips.com said on Thursday.

    Although the company does not require the microchips be implanted to maintain employment, anyone without one will not be able to access the datacenter, according to a Register article.

    Ironically, the extra security sought may be offset by a recent discovery of Jonathan Westhues, where the security researcher showed the VeriChip can be skimmed and cloned, duplicating an implant's authentication. When contacted, those at CityWatcher were unaware of the chip's security issue, according to the spychips.com release.

    Posted by: Peter Laborge

    BTW fp.
  • by Saeed al-Sahaf (665390) on Saturday February 11, 2006 @10:40PM (#14697831) Homepage
    Shouldn't be legal to require this...

    The story reads that it's not required to maintain employment. But, then again, most jobs in the US are "at will" anyway...

  • by WasteOfAmmo (526018) on Saturday February 11, 2006 @11:02PM (#14697953) Journal
    Not that I'm typically very religious or anything but:

    It seems to me that it would be a little hard to claim that this, or a good many of the other things that people have pointed too, constitutes the mark of the beast.

    1. It is in the bicep region, not the forehead or right hand;
    2. It is not a name nor the number 666
    From the book of revelations:

    13:16 He causes all, the small and the great, the rich and the poor, and the free and the slave, to be given marks on their right hands, or on their foreheads;

    13:17 and that no one would be able to buy or to sell, unless he has that mark, the name of the beast or the number of his name.

    I'm not sure what edition the above is from but it is plain English and close enough for this discussion.

    13:18 Here is wisdom. He who has understanding, let him calculate the number of the beast, for it is the number of a man. His number is six hundred sixty-six.

    On a side note: always wondered about making a program to compute all the possible combinations of the Jewish alphabet that adds up to 666 (filtering out all the nonsense ones of course). Someone must have done this somewhere already.

    Merlin.

  • by CrazyDuke (529195) on Saturday February 11, 2006 @11:23PM (#14698061)
    This is why unemployment laws allow people to quit and still claim unemployment if the conditions of their employment change, instead of if they just get layed off. Because, then no one would be laid off. The company would just make people they don't want anymore, for example, work for minimum wage cleaning toilets for 5 hours a week, 3 am to 4 am, with no benefits.
  • by phauxfinnish (698087) on Sunday February 12, 2006 @12:47AM (#14698394)
    On a side note: always wondered about making a program to compute all the possible combinations of the Jewish alphabet that adds up to 666 (filtering out all the nonsense ones of course). Someone must have done this somewhere already.

    Why the Jewish alphabet? The Revelation was written in Greek.
  • by eurleif (613257) on Sunday February 12, 2006 @01:09AM (#14698468)
    I would assume each chip is given a unique ID. When an employee quits/is fired, the ID is removed from the scanner's list of people to let in.
  • Re:Why? (Score:5, Informative)

    by Beryllium Sphere(tm) (193358) on Sunday February 12, 2006 @01:23AM (#14698508) Homepage Journal
    >What's the security benefit to injected RFID?

    If your threat model is someone walking into the data center with a lost/stolen/borrowed badge then requiring them to be injected does address the threat. But then so would issuing tokens in the form factor of a ring, except for the "borrowed" token problem.

    So, if you don't know that RFID chips can be cloned, if you don't know that they transmit the same number every time they're pinged, if you don't know that they can be read remotely and cloned at leisure, and if you have contempt for your employees and are oblivious to human rights, you might come up with a requirement for injected RFID.

    I sincerely hope that whoever came up with this isn't one of my colleagues in security consulting.
  • by njyoder (164804) on Sunday February 12, 2006 @01:53AM (#14698598) Journal
    VeriChip has been cracked [cq.cx]. That's only because it didn't use cryptography. JHU researchers have cracked the Exxon Mobil Speedpass [jhu.edu] [research link [rfid-analysis.org]] cryptographic RFID devices using brute force. It took 15 mintes per key, but this required 16 $200 FPGAs ($3200) working in parallel.

    Ignoring the time taken to reverse engineer the protocol, it also requires extra equipment to do the analysis for the actual reverse engineering. To my knowledge, no code has been published publically.

    At this point in time, it seems that cryptographic RFID devices, despite being cryptographically weak, are pretty secure from a practical standpoint due to a level of sophistication require to execute attacks currently.

    Plus I must wonder a) how close you have to be to read/activate VeriChip devices and b) if the readers are inside of a faraday cage when they enter the facility. At the very least, this will remove the possiblity of using lost keys or ones that were left lying around unattended.
  • Re:Why? (Score:1, Informative)

    by Anonymous Coward on Sunday February 12, 2006 @02:00AM (#14698622)
    Except obviously you don't realize that RFID chips can contain a private key, and answer questions from the door other device with a signed answer. This makes it impossible to clone one of these chips without brute force hacking it, assuming it will securely keep its private key. Snooping on one of these guys won't help you at all.
  • by GoMMiX (748510) on Sunday February 12, 2006 @03:05AM (#14698765)
    I am not confused.

    My reference to asbestos, once used as insulation in homes/buildings, was to note the now well known effects of cancer caused by asbestos.

    Perhaps in light of this information, my previous post will seem more complete.
  • Re:Implant safety... (Score:1, Informative)

    by Anonymous Coward on Sunday February 12, 2006 @04:19AM (#14698930)
    This is not even close to true. Tags that offer cryptographic security--not always good cryptographic security, but better than the VeriChip--are on the market now. The tags cannot be cloned without major effort. The VeriChip simply isn't one of them.
  • Re:Why? (Score:1, Informative)

    by Anonymous Coward on Sunday February 12, 2006 @04:27AM (#14698951)
    The tags work at 134 kHz; a directional antenna would be about the same size as Manhattan. But yes, the read range goes up when another reader powers the tag.
  • Re:Why? (Score:1, Informative)

    by Anonymous Coward on Sunday February 12, 2006 @06:57AM (#14699280)
    It's called man in the middle attack, and is VERY easy to do:

    Normally: door reader - chip in arm

    you make it:

    door reader - hacker chip - radio - radio - hacker reader @Walmart - chip in arm of employee shopping @ Walmart

    You talk to the door, and forward everything to the legitimate chip elsewhere ;)
  • Re:Why? (Score:3, Informative)

    by makomk (752139) on Sunday February 12, 2006 @08:57AM (#14699516) Journal
    Except obviously you don't realize that RFID chips can contain a private key, and answer questions from the door other device with a signed answer. This makes it impossible to clone one of these chips without brute force hacking it, assuming it will securely keep its private key. Snooping on one of these guys won't help you at all.

    Who says you need to clone it? Just have (say) a babe in a bar next to the chipped person with a hidden device imitating the door reader, and someone at the door with a device imitating the chip, linked with mobile phones (or other communication device). Door sends challenge to chip-imitator, it's transmitted over to the real chip, which sends a correct response back. Response is returned to chip-imitator, transmitted to door, and you're in.

    Besides, it looks like these chps *might* be just simple IDs (cryptography is more expensive - needs more on-board hardware, and more power, which isn't easy since the power has to be transmitted wirelessly).
  • Re:Comrades... (Score:3, Informative)

    by TedCheshireAcad (311748) <ted&fc,rit,edu> on Sunday February 12, 2006 @02:56PM (#14701057) Homepage
    Shenanigans.

    I saw a representative from this company on Fox News yesterday (he was the IT manager) and he explicitly stated that participation was voluntary. Two employees had the implant, one of those was the CEO. The fellow being interviewed carried his RFID on his keychain.
  • Re:Why? (Score:3, Informative)

    by AK Marc (707885) on Monday February 13, 2006 @02:20PM (#14709398)
    Door sends challenge to chip-imitator, it's transmitted over to the real chip, which sends a correct response back. Response is returned to chip-imitator, transmitted to door, and you're in.

    That wouldn't work with the passive ones. They burst, then listen. There is a small guardband, but if your induced delay is more than 40 ms or so, the system I worked with wouldn't hear the response. It is not correct to say that they are transmitting all the time. They are pulsing constantly. If the system is designed for tight security, they won't accept an answer multiple cycles later than the question was asked. Though, the system I worked with didn't care a bit about security, so everything was transmitted in the clear and the response could be delayed and the system wouldn't care in the least. But you'd still have to synchronize the response with the pulsing of the reader.

Sentient plasmoids are a gas.

Working...