Thursday, 3 August 2017

Not this again

The BBC reports that someone has put a chip in his body to unlock his car. It is not clear why although his evident undeserved smugness is likely reason enough for him. It's also unclear that there's even a very credible security advantage since hacking car locks has so far proved easier than stealing people's keys.

But I'm biased. It reminds me too much of the pointless Kevin Warwick who has for decades been claiming to be a cyborg because he had an RFID chip in his arm. Having an RFID chip 1mm outside your skin in a badge doesn't make you a cyborg but having one 1mm on the other side does, apparently. The distinction without a difference has certainly earned him a lot of stupifyingly dull and stupid column inches over the years.

I've nothing in principle against using implants for authentication and I've no doubt it'll happen in the near future. It'll be convenient, but it won't pay to underestimate the security concerns, or the practical ones, for that matter.

It seems a nice idea, for example, to use an implant for 2FA alongside a physical artifact such as car keys, but then how do you lend your car to someone else or even allow them to unlock it to get stuff out? Perhaps taking care of your keys like, you know, an adult might be a superior solution all round.

We already know that RFID chips in passports etc can be skimmed from a distance. At least we can put our passports in RFID-proof wallets. It's a little less convenient to wear lead gloves.  And besides, how do we deactivate authentication when we know someone has skimmed our implant? How do we upgrade?

The problem is one of poor analogy. Authentication shouldn't be thought of as a key, it should be thought of as (some) proof of who we are. After that, infrastructure needs to decide what we're allowed to do in a given situation.

There are lots of smart people working out how that infrastructure might work, but slitting yourself open and installing an RFID chip is not approaching smart. People are working on how we might delegate authentication in complicated ways and how identity certifiers and authentication services could collaborate without creating a vast security minefield. There is already a fucktonne or so of literature on this subject.

But what's reported is some idiot injecting a chip into himself as though the future has already happened.

No comments:

Post a Comment