RFID Injection Required for Datacenter Access

user24 writes "Security focus reports that RFID injections are now required for access to the datacenter of a Cincinnati company. From the article 'In the past, employees accessed the room with an RFID tag which hung from their keychains, however under the new regulations an implantable, glass encapsulated RFID tag from VeriChip must be injected into the bicep to gain access ... although the company does not require the microchips be implanted to maintain employment.'"

Comrades...

[Bananatree3 (872975)]

...and the Comrades marched rank and file into their working facility, while the Big Brother telescreen carefully scanned each implanted chip...

Big Brother

[westlake (615356)]

...and the Comrades marched rank and file into their working facility, while the Big Brother telescreen carefully scanned each implanted chip...

It's a video surveillance company. You work in the data center, you become Big Brother.

A milestone

[suso (153703)]

Is this the first time civilians have been required to do thing type of thing? I guess its no longer science fiction.

Re:A milestone

[servognome (738846)]

Is this the first time civilians have been required to do thing type of thing?

Lots of stuff has been done to monitor civilian employees: Drug testing, email snooping, time card punching, video monitoring, background/credit checks, etc.

Re:A milestone

[Jafafa Hots (580169)]

Well, there were those number tattoos in the Nazi slave labor camps...

Re:A milestone

[JabberWokky (19442)]

Godwin's Law does not apply when there is a legitimate historical reference to Nazis. I'd say this one actually is a proper and on-topic reference, as there aren't many other cases of forced permanent identification or serialization. I can think of plenty of "mode of dress" and uniform enforcements, but no other examples of permanent body modifications that mark specific individuals.

--
Evan

Re:A milestone

[Richy_T (111409)]

But RFID doesn not require the participation of the owner. That stranger who just jostled you in the subway now has your RFID code (You can make RFID readers *small*) Now a)You don't know the code has been stolen (vs having your passcard lost or stolen) and b)When you do discover the code as been stolen, changing your own code is a *lot* more hassle than issuing a new passcard.

These things could be negated by RFID chips with rolling codes or read/write ability but these are not commonly available in the glass capsule RFID chips. I'd give good odds that this company is not pushing the boudaries either and has the standard one-id versions.

Bear in mind that RFID devices are operating on the limits of what power can be obtained from a fairly weak power source in the first place. Any extra complexity has a real impact on the operational range.

Rich

Re:A milestone

[Jafafa Hots (580169)]

Jafafa's Law: Anyone who tries through reflexive and thoughtless exclamation to inhibit the very valid practice of comparing for the purpose of gaining perspective a behavior to known extremes is a fucking putz.

(I admit it's not very catchy.)

Maybe not such a milestone

[jc42 (318812)]

Is this the first time civilians have been required to do thing type of thing?

This may not be exactly the same thing, but it's somewhat of a precedent: A few years ago, after a mammogram, my wife had a biopsy to check out something "suspicious". It turned out to be nothing important, though.

Some time later, she had another x-ray at a different place, and she saw that the image had a visible object at the site of the biopsy. She was told that it was a small piece of plastic left behind during the biopsy procedure, and that this was a fairly common thing. Sort of a "We were here" tag.

Whether it's an RFID chip we don't know. But at least some medical people are already implanting small "innocuous" things without mentioning it to the patient. And there have been stories of medical uses of RFID chips to help avoid the common problem of misidentifying a patient.

It's easy to put such things together. If you've had any "penetrative" medical work done in the past few years, there's a good chance that you're carrying an RFID chip now.

Re:Maybe not such a milestone

[jc42 (318812)]

WTF? Who moderated this "troll"?

I almost didn't read it when I noticed the -1.

Maybe the meta-mods will catch it, or maybe not.

Actually, using a second breast as a control for the other may not be all that great an idea. Usually they are slightly different in size and shape, as are most men's testes. And both breasts get exposed to anything in the blood stream.

What you obviously want is a second woman who is a match for the first in as many ways as possible. Then you compare all four breasts.

Lessee what sort of mod this gets ...

Yeah that was ironical.

[mfh (56)]

Rumour has it that a certain data center will be sued shortly for creating a hostile work environment. There's a few ways to slice this one:

• employees will strongly dislike geeks from Slashdot following them around with RFID readers
• employees will strongly dislike nosy reporters trying to get stupid interviews about what it felt like to have an RFID tag implanted (ie: "So what did it feel like when the cold steel of that needle intersected your unwilling arm, ma'am?"
• employees will detest their weekly security update shots, along with subsequent track marks

And then there is the whole magic marker circumvention method that is soon to be discovered (possibly within this thread).

Oh wait...

FTA: Ironically, the extra security sought may be offset by a recent discovery of Jonathan Westhues, where the security researcher showed the VeriChip can be skimmed and cloned, duplicating an implant's authentication.

Yeah... I can't wait for the Diebold spin on this story.

Typo

[BiggerIsBetter (682164)]

That was supposed to read, FTA: Ironically, the extra security sought may be offset by a recent discovery of Captain Obvious, where the security researcher showed the VeriChip can be skimmed and cloned, duplicating an implant's authentication.

Seriously, which genius thought putting a remotely readable barcode in an employees arm was ever going to be secure? Must the IT world really repeat the mistakes of the 80's garage door opener industry??

Re:Yeah that was ironical.

[Linker3000 (626634)]

• Employees were fed up of being charged for an extra 'phantom' tube of tomato puree every time they went grocery shopping
  

I think I'll prestate the sentiments of Slashdot.

[captnitro (160231)]

Aw, hell no.

I especially like...

[Statecraftsman (718862)]

the part about the VeriChip being sucsceptible to scanning and cloning.

At least, it doesn't need to be cut out to be used by a sufficiently motivated attacker.

Re:I especially like...

[Martin Blank (154261)]

This is why I keep pressing my employer to not adopt RFID badges, and keep either the magnetic swipes or move to 2D barcodes. I have an inherent distrust of anything wireless, which is why I still have cables running from my mouse and keyboard, refuse to use Bluetooth, and use wireless only when I have to and even then almost exclusively in Linux (though with WPA/WPA2 and a nice, long, random shared key, it's not so bad). My current record in a lab for cracking 128-bit WEP is about 14 minutes, start to finish.

Paranoid? Yeah, a bit. But then I've never had to worry much about someone intercepting my phone calls or passwords over the air.

On the main topic, if no one is going to be fired for refusing, but part of their job is working on equipment in the datacenter, what happens?

Re:I especially like...

[broller (74249)]

So are you entering passwords or making phone calls with your mouse? I wasn't clear on that point.

Paranoid?

[runlvl0 (198575)]

I have an inherent distrust of anything wireless, which is why I still have cables running from my mouse and keyboard, refuse to use Bluetooth, and use wireless only when I have to and even then almost exclusively in Linux (though with WPA/WPA2 and a nice, long, random shared key, it's not so bad). My current record in a lab for cracking 128-bit WEP is about 14 minutes, start to finish. Paranoid?

Paranoid? Not until you do all of your computing inside a Faraday cage. Until then, you're just a TEMPEST in a teapot.

does not require the microchips be implanted

[still_sick (585332)]

Mmmm-hmmm...

They won't require you to implant the chip to keep your job. But how long can you keep your job if you can't access the datacenter?

Maybe they're right

[HeavensBlade23 (946140)]

Isn't this what the Christians have been saying was going to happen for the past 20 years now? Of course, it's not the governing that's forcing the chips on people, but it's only a matter of time.

Re:Maybe they're right

[symbolset (646467)]

It's a Visa card?

Well, it's Slashdot

[1310nm (687270)]

It might actually double the victim's bicep circumference.

I always knew Management worked us like dogs...

[scotty1024 (584849)]

But now they want to chip us like dogs too?

What's next, kibble in the break room vending machines?

Why?

[cgenman (325138)]

I'm not understanding the point here. If you inject the RFID chip, you can theoretically track your users wherever they go. But you can't ensure that access isn't being granted to someone who has an RFID chip in their wallet. You are making it slightly harder to steal the data, but you're not making it any harder to clone the chip.

What's the security benefit to injected RFID?

BTW, this [spychips.com] is the original article.

Re:Why?

[netwiz (33291)]

You're not even really improving the security at all. Most of these types of devices get a short burst of RF at the reader which serves two purposes, one to provide raw power for the device (a la crystal radios), and one to signal the device to request it's ID. The device gets just enough power from the input signal to do a lookup and squirt back it's code just before it dies. The trick is, so long as you're willing to wait for someone to use the door, a directional antenna will pick up the conversation nicely. Once you've got a sample of the door's signal (they broadcast continuously), you can use the same directional to trigger the victim's ID unit remotely. Since normal badged users won't have the badge on them at all times, you couldn't get the code by following them in public. The RFID guy on the other hand, well, he's a different story. you could snag codes from him all day by just hanging nearby as he goes in/out of stores, Wal-Mart, etc.

So in the end, the RFID makes things worse by imcreasing the level of access to the device itself.

Re:Why?

[Beryllium Sphere(tm) (193358)]

>What's the security benefit to injected RFID?

If your threat model is someone walking into the data center with a lost/stolen/borrowed badge then requiring them to be injected does address the threat. But then so would issuing tokens in the form factor of a ring, except for the "borrowed" token problem.

So, if you don't know that RFID chips can be cloned, if you don't know that they transmit the same number every time they're pinged, if you don't know that they can be read remotely and cloned at leisure, and if you have contempt for your employees and are oblivious to human rights, you might come up with a requirement for injected RFID.

I sincerely hope that whoever came up with this isn't one of my colleagues in security consulting.

Interresting Question

[aepervius (535155)]

I went to their web site and many time they repeat the word "secure". Now granted this could be marketing bunk destined to pointy haired boss, but a passive RFID tag without private key cannot be qualified as secure even remotely. So I will stand on a leg and state that the GP is wrong and the Parent post is right, you cannot so easily copy the tag.
Veri Chip [verichipcorp.com]
Veri Guard Brochure [verichipcorp.com]


What is quite frightening is that they purport on site tracking up to 15 foot (5 meter!). This is WAAAY beyond the distance the RFID-CHip-are-ok-sleep-safely-it-won't-be-abused-p eople purport is short. For me 1 foot is short. With 5 meters/15 feet readability, then you can REALLY immagine implementing a reader everywhere and fully track a population (in a firm/company/city/country).

Re:Why?

[Duhavid (677874)]

You forgot about the "guy that owns this company knows the guy at the RFID tracking system company"
angle entirely.

Religious Objection

[Shky (703024)]

Could someone object on the basis of religious discrimination if they believe that RFID implants constitute the "Mark of the Beast"?

Re:Religious Objection

[Bodysurf (645983)]

"Could someone object on the basis of religious discrimination if they believe that RFID implants constitute the "Mark of the Beast"?"

I would imagine it would be just like the article stated: They can't/won't force you, but if you refuse, you don't get acccess to the datacenter. Just like the Mark of the Beast "... no one may buy or sell except one who has the mark or name of the beast, or the number of his name."

Re:Religious Objection

[WasteOfAmmo (526018)]

Not that I'm typically very religious or anything but:

It seems to me that it would be a little hard to claim that this, or a good many of the other things that people have pointed too, constitutes the mark of the beast.

1. It is in the bicep region, not the forehead or right hand;
2. It is not a name nor the number 666

From the book of revelations:

13:16 He causes all, the small and the great, the rich and the poor, and the free and the slave, to be given marks on their right hands, or on their foreheads;

13:17 and that no one would be able to buy or to sell, unless he has that mark, the name of the beast or the number of his name.

I'm not sure what edition the above is from but it is plain English and close enough for this discussion.

13:18 Here is wisdom. He who has understanding, let him calculate the number of the beast, for it is the number of a man. His number is six hundred sixty-six.

On a side note: always wondered about making a program to compute all the possible combinations of the Jewish alphabet that adds up to 666 (filtering out all the nonsense ones of course). Someone must have done this somewhere already.

Merlin.

Escalation

[Spazmania (174582)]

So much for Evil Guy yanking out an eye or cutting off a hand so that he can fake access. Now he has to take the whole arm...

Seriously, if he wants in that bad I'd rather he just beat me up and take my keys.

Re:Escalation

[tftp (111690)]

Don't worry, nobody is going to take your arm (it's too large to carry.) The chip is not that deep, so a small incision with a sharp boxcutter will allow the attacker to pull the capsule out. He only may need to explore a bit (with that knife) around the needle scar :-( Chances are very good that you will survive, especially if the attacker knows how to avoid major blood vessels, and if the knife is clean, and if you don't need that arm that much. Just choose your attackers carefully and check their medical diplomas before they do it to you.

Honestly ....

[taniwha (70410)]

evil guys just have to get more inventive

Many years ago I found myself in a turf war with the 'operators' who looked after our mainframe .... in their view system programmers weren't allowed to touch the hardware ... anyway as a response we instituted a physical penetration analysis of the machine room .... the number of different ways in we found was in the mid teens - some involved children (or small adults) climbing thru ducts or thru the windows we gave people their printouts through, others involved finding ways in under the false floor (there were several) - but the one that took the cake was when we noticed that all the hinges on each and every door to the room was on the outside ... anyone could show up at any time and steal the doors

Chipped by your boss ?= chipped for life

[Statecraftsman (718862)]

So when you decide to leave your emplyoyer do they take it out free of charge? I hope so.

If not, you're likely to be tracked not just by your employer but by anyone else with an RFID scanner. There really ought to be an activator button or device that needs to be pressed or broadcasting to make such a device safe for the implanted.

This will only last about as long as

[zappepcs (820751)]

This will only last about as long as the Sony rootkit-like DRM lasted. It now has public attention, and when it is pointed out that the scheme has enough security holes in it to act as a noodle strainer, the number of people who will actually allow the implant will be zero, meaning there will be no one to do any maintenance in the datacenter, and thus the rules will have to be changed.

For less than they paid for the RFID system, they could have hired someone to log people in and out of the data center. Additionally, I question the validity of a system that restricts access to only those with an implant during disaster situations (fire, flood, and worse) where access rights and needs are rather different than in normal situations.

Good security costs a lot of money, and you cannot replace the human element in the security chain. The RFID schemes won't prevent anyone following an authorized person into the data center, unless there is physical restrictions that would make working in the data center dangerous during emergencies. In this case, the $10/hour guard is more flexible and cheaper than the high-tech answer, and more respectful of humans in general... or at least I think so

Just a marketing gimmick

[cyberjessy (444290)]

To me this sounds more like a marketing ploy. So that they could go to potential clients and say, "Look we are so secure and futuristic that we need embedded chips in humans to access our critical datacenter!". Client is left stunned.

IANA American, but I hope that the goverment would do something if this was forced on the employees working in the datacenter. After all, what can this achieve which cannot be done with a retinal scan, RFID tag combo? If the criminal can pass the retinal scan, can't he also pluck the RFID from the employee and stick into his arm?

Huh..... I would hate it if someone said they are gonna put a chip inside my body. Wait till someone gets hurt and the company gets sued for a million dollars.

Heh.

[soupdevil (587476)]

The joke's on them. Geeks don't HAVE biceps.

Sounds like a publicity ploy

[gad_zuki! (70830)]

We all know that this won't increase security, but now this surveillance company can use this in all their advertising and PR. "Sure, you can go with the other company but they arent half as serious as we are. We put bloody implants into our employess! That's serious!"

Its harmless except for Joe and Jane Datacenter who have to go in for some minor surgery on the weekend to keep their jobs. I hope this "Golden Casino" mentality stops right here after these people get exposed for the dumbasses that they are. Hell, even in the article they did not know the weaknesses of RFID authentication.

I woulndt doubt if this was 100% publicity stunt. I wonder how many people even have to access the datacenter. Depending on the company size it could just be one or two people. Of course all the executives, security, etc will have the old keycards that will work just fine.

Wait, isn't this worse security?

[Rakishi (759894)]

Ironically, the extra security sought may be offset by a recent discovery of Jonathan Westhues, where the security researcher showed the VeriChip can be skimmed and cloned, duplicating an implant's authentication. When contacted, those at CityWatcher were unaware of the chip's security issue, according to the spychips.com release.

So before I needed to get close to an object (whatever had the rfid tag) which under normal circumstances an employee would not be carried around (say they were going home or something) or could have it in a reader blocking case. Now, I simply need to get close to an employ anywhere at any time to copy their data.

Fucking brilliant, now I can steal their tag without anyone ever knowing, whereas before they'd know it was gone in a reasonable amount of time (I'd have to steal the physical object most likely).

I remember when Asbestos was just good insulation

[GoMMiX (748510)]

Now people are required to inject glass capsules into their arms to enter a facility?

Now we know asbestos kills.

What will be said of placing RFID tags into our bodies 50 years from now.

Some risks are worth taking, there is no question. For me, this is not one of them.

Did you read the story?

[Saeed al-Sahaf (665390)]

Shouldn't be legal to require this...

The story reads that it's not required to maintain employment. But, then again, most jobs in the US are "at will" anyway...

Re:uh, no.

[netwiz (33291)]

Actually, they didn't leave it out, and I did read the article. My comment was a question of the logical extention of this policy. More to the point, if they're only going to allow access to RFID-enabled employees, doesn't it seem kinda necessary that either 1) you will be implanted if your responsibilities include accessing the video library, or 2) you're going to lose that responsibility. I can't see the latter being a positive career move.

Re:uh, no.

[timeOday (582209)]

Because according to the story, it's not required to maintain employment.

Of course it isn't... although we do appreciate good team players. And none of our other employees seem to mind. And frankly we're a little insulted by the implicit accusation that we'd ever abuse this power. It's not like you have something to hide... do you? Well, anyways, it's not a requirement, so here's the key to your new office. Go ahead and move the brooms and mops over to one side.

Re:uh, no.

[netwiz (33291)]

Okay, but what's the metric here? "Unsafeness?" How "unsafe" is getting an RFID implant? Is it then safe to assume that if something was sufficiently risk-free, that a potential employer could get away with making the employee submit to their wishes? How far might that go? And most importantly, who's deciding what's unsafe, and where's their money come from?

Re:From TFA

[Esion Modnar (632431)]

Although the company does not require the microchips be implanted to maintain employment, anyone without one will not be able to access the datacenter

And anyone who requires access to the datacenter to do their job, such as operators and sysadmins, cannot DO their job unless they get the implant. And if they cannot do the job, how are they expected to maintain employment?

I suppose the official reason for termination would be "uncooperative attitude." Certainly not "he refused to get chipped." Or maybe the company will concentrate on ways to make the employee so miserable, he just quits. Problem solved.

Re:From TFA

[YGingras (605709)]

And anyone who requires access to the datacenter to do their job, such as operators and sysadmins, cannot DO their job unless they get the implant. And if they cannot do the job, how are they expected to maintain employment?

They have no problem to do their job without physical access, they installed telnet on all the servers.

Re:From TFA

[slashname3 (739398)]

showed the VeriChip can be skimmed and cloned, duplicating an implant's authentication.

To say nothing of employee's arms being taken and used to gain access. Just need to have a large plastic bags to put the body part in to keep it from leaking all over the hacker. Gives a whole new meaning to the term hacker.

I wonder if these are the same implants they use on dogs. If they are it's no wonder they are insecure. And I don't see how this improves security much if any. It would be better to have a two man rule enforced by the access system, using two factor authentication, and have cameras monitoring the access into the cages. Securing a data center is not that difficult. It can be costly.

One last thought, what does the company do if those implanted leave or are fired? Pay out the insurance premium for dismemberment when they remove the arm of the employee? I guess you know you are being fired when the security guard shows up at your desk with a box for your stuff and a hacksaw to revoke your access.

Re:Spell Check?

[uncoveror (570620)]

It does not surprise me at all that this is in Cincinnati, which has a horrible anti-worker culture. Employees are considered far less valuable than office fixtures, pay is below the national average in all industries, and flexible time is a foreign concept. Most employers there resent the emancipation proclaimation. Without it, they wouldn't have to pay the drones at all. This attitude has even spilled over to the sports teams, who have lost a lot more often than they have won over the years due to skinflint ownership.

Re:Don't panic

[Somegeek (624100)]

I don't think the CIA is going to want thier agents permanantly broacasting a message that says 'hey I work for the CIA' to anybody that has the desire and technology to listen.