This story appeared on the BBC site under the title “First human ‘infected with computer virus,’” which is a bit silly and almost made me skip reading it. The proof of concept is actually quite serious.
A researcher from the University of Reading in the UK, Dr. Mark Gasson, wrote malcode onto a radio frequency identification (RFID) chip which he inserted in his hand. The chip could activate security doors and apparently served as an authentication source for his cell phone.
He demonstrated that the infected chip could pass the malcode to the external control systems that read it. Gasson works at the University of Reading’s School of Systems Engineering.
He will present the results of the research in June at the International Symposium for Technology and Society in Australia.
The story skews off into discussions of all the things the chips are used for, but doesn’t really discuss the implications of malcode spreading from chips implanted in humans. I can think of a few:
— If read-write implanted chips in humans become widespread, there could be the possibility of malicious operators infecting the chips of passers-by in public places. Certainly implanted chips would need to be securely read only.
— Hacking or denial of service attacks could be launched with malicious code in the chips against security systems that use RFID readers.
— RFID devices will need anti-malware software and will need to be connected to networks securely (outside a firewall?)
— Portable RFID readers will need similar AV protection and will need updates. That will be a record-keeping headache for IT staffs.
— The networks of retail stores could be attacked when malicious operators install back doors by placing infected chips where portable RFID readers used for inventory control would encounter them. Someone with an infected implanted chip could walk near one of the devices and do the same thing.
— The possibility of malicious code on implanted chips containing peoples’ medical information will present a new layer of compliance issues.
Tom Kelchner
Update 05/28:
Dr. Gasson’s stunt and video have attracted massive amounts of attention. I’ve seen 20 stories on the web with doofy headlines that are some variant of: “Scientist infects his own self with COMPUTER VIRUS.” They range from the BBC to local newspaper web sites in the U.S.
It’s such a really dumb headline – admittedly the product of true PR genius – but just really dumb. I counted five news outlets that sensibly reported the story and its implications, including the Register. They really did the best job of not only reporting the event, but the PR silliness behind it. The following is by John Leyden:
Captain Cyborg sidekick implants virus-infected chip
First Mate Malware and the infected pacemakers of doom
“A second transhumanist RFID-chipping nut has emerged from the academic community at the University of Reading.
“Professor Kevin Warwick became famous years ago after claiming he was on the way towards becoming a cyborg after he implanted a simple RFID chip in his arm, which allowed sensors to register his presence and perform simple actions such as opening a door. The same thing could be done by putting the same chip on an Oyster-card style device, of course, but that’s nowhere near as tasty a morsel for mainstream media consumption. The prof has enjoyed a lucrative media and book career on the back of this exercise.
“Now Dr Mark Gasson, a senior research fellow at Reading University’s Cybernetic Intelligence Research Group, has managed to extract further publicity from a variant of much the same pointless experiment, featuring technology more commonly used to chip domestic pets and unspecified computer malware. Gasson surgically implanted an RFID chip infected by malware into his hand. He claimed this made him the first human to become ‘infected with a computer virus.’”
Even the Register’s URL to the story carries a little editorial: http://www.theregister.co.uk/2010/05/26/captain_cyborg_cyberfud/
John Leyden, you are a true professional!!
AND, if you’re ready for the next dose of cyber-media insanity, check out the satirical Twitter feed BPTerry in which someone whose identity hasn’t been outed yet purports to be a lazy, sexist and stupid PR staffer for BP and issues tweets about the oil company’s struggle with the Deep Water Horizon disaster. (Example: “just went skinny diping in the gulf. i call it dipsticking. lol”)
See Mashable account here.