VERICHIP RFID IMPLANT HACKED! Will Security Problems Quash IPO Plans for
The VeriChip can be hacked! This revelation along with other worrisome
details could put a crimp in VeriChip Corporation's planned initial public
offering (IPO) of its common stock, say Katherine Albrecht and Liz McIntyre.
The anti-RFID activists and authors of "Spychips: How Major Corporations and
Government Plan to Track Your Every Move with RFID" make no bones about
their objection to VeriChip's plans to inject glass encapsulated RFID tags
into people. But now they've discovered information that could call
VeriChip's entire business model into question.
"If you look at the VeriChip purely from the business angle, it's a
ridiculously flawed product," says McIntyre. She notes that security
researcher Jonathan Westhues has shown how easy it is to clone a VeriChip
implanted in a person's arm and program a new chip with the same number.
Westhues, known for his prior work cloning RFID-based proximity cards, has
posted his VeriChip cloning demo online at http://cq.cx/verichip.pl
The VeriChip "is not good for anything," says Westhues, has absolutely no
security and "solves a number of different non-problems badly."
The chip's security issues may spell trouble for those who have had one of
the microchips embedded in their flesh. These include eighteen employees in
the Mexican Attorney General's office who use an implanted chip to enter a
sensitive records room, and a handful bar patrons in Europe who use the
injected chips to pay for drinks. "What are these people going to do now
that their chips can be cloned?" says McIntyre. "Wear tinfoil shirts or keep
everyone at arm's length?"
Albrecht quips, "A man with a chip in his arm may soon find himself
wondering whether that cute gal on the next bar stool likes his smile or
wants to clone his VeriChip. It gives new meaning to the burning question,
'Does she want my number?'"
But the VeriChip's problems don't stop there, says McInytre, who is also a
former bank examiner and financial writer. She has carefully analyzed the
company's SEC registration statement and associated chipping information and
discovered serious flaws. It turns out the company's own literature
indicates that chipped patients cannot undergo an MRI if they're
unconscious. What's more, the company admits that critical medical
information linked to the chip could be unavailable in a real emergency.
"These issues call VeriChip's promotional campaigns and business plan into
question," McIntyre says.
The instructions provided to medical personnel warn that chipped patients
should not undergo an MRI unless they are fully alert and able to
communicate any "unusual sensations or problems," like movement or heating
of the implant. This conflicts with company's efforts to promote people who
cannot speak for themselves, such as Alzheimer's patients, those with
dementia, the mentally disabled, and people concerned about entering an
emergency room unconscious.
"The irony is that implantees will have to wear a Medic Alert bracelet or
bear some obvious marking so they aren't mistakenly put in an MRI machine,"
Chipped patients might also have to wear a Medic Alert bracelet as a back-up
in case the VeriChip database containing their critical medical information
is unavailable. The fine print on the back of the VeriChip Patient
Registration Form warns implantees that "the Company does not warrant...that
the website will be available at any particular time," and physicians are
told the product might not function in places where there are ambient radio
transmissions--like ambulances. In addition, patients are required to waive
any claims related to the product's "merchantability and fitness." The
waiver paragraph as it appears on the form is reprinted below:
"Patient...is fully aware of any risks, complications, risks of loss, damage
of any nature, and injury that may be associated with this registration.
Patient waives all claims and releases any liability arising from this
registration and acknowledges that no warranties of any kind have been made
or will be made with respect to this registration. ALL WARRANTIES, WHETHER
EXPRESS OR IMPLIED, HOWEVER ARISING, WHETHER BY OPERATION OF LAW OR
OTHERWISE, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF
MECHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE EXCLUDED AND WAIVED.
IN NO EVENT SHALL THE COMPANY BE LIABLE TO PATIENT FOR ANY INCIDENTAL,
SPECIAL OR CONSEQUENTIAL DAMAGES (INCLUDING LOST INCOME OR SAVINGS) ARISING
FROM ANY CAUSE WHATSOEVER, EVEN IF ADVISED OF THEIR POSSIBILITY, REGARDLESS
OF WHETHER SUCH DAMAGES ARE SOUGHT BASED ON BREACH OF CONTRACT, NEGLIGENCE,
OR ANY OTHER LEGAL THEORY." [Emphasis in the original.]
"For a life or death medical device, that's unbelievable," says McIntyre. "I
wouldn't buy toilet paper that required that kind of a disclaimer, never
mind a product that's supposed to serve as a lifeline in an emergency."
McIntyre contacted the VeriChip Corporation for comments on these issues and
was initially promised a response. When the company failed to get to get
back to her, McIntyre followed up and was told that the employee had been
instructed not to answer her questions. The unanswered questions, along with
photos of the VeriChip and associated literature, are available at