Security researcher Seth Wahle of APA Wireless and Rod Soto of Hack Miami used a near-field communications (NFC) chip implant in his hand to demonstrate that it is possible to exploit Android devices and avoid detection by common body scanners located at airports and high-security environments.
Wahle explained to Forbes that bought a chip designed to be injected into cattle and implanted the chip by an “unlicensed amateur” for $40 by using a needle which was larger than he had initially expected.
“But implants aren’t for the squeamish. Wahle says the needle was bigger than he’d expected when he had the chip implanted by an “unlicensed amateur” for $40, enough to make him want to vomit. He says he had to go through a backstreet operation due to Florida’s restrictive body modification laws. He first had to acquire the chip, designed to be injected into cattle for agricultural uses, from Chinese company Freevision (see images below for their animal products and the sizeable syringe used by Wahle). But the chip, which has just 888 bytes of memory and is encapsulated in a Schott 8625 Bio-glass capsule, is now barely noticeable, Wahle says, poking at the cylindrical object over his webcam during a Skype call with FORBES.” reads Forbes.
The NFC chip was used to ping nearby Android mobile devices in the attempt to establish a direct connection. Once the hacker has established a link to the mobile device via the NFC chip, they can serve a malicious file that (if installed and run by the victim) would compromise the Android device. And infected device will then try to connect a remote server operated by Wahle, who can then serve further malicious payloads and exploits to the mobile device (i.e. Metasploit).
This kind of attack could be very dangerous the attacker were to use a coordinated social engineering scheme; the target has to be convinced to open and execute the transmitted file.
Implanted NFC chips could allow individuals easily to bypass perimeter defenses in high-security environments, even in facilities where IoT devices (i.e. wearables devices) are not allowed. Wahle explained that none of the military scanners he had to pass through while he was serving in the U.S. military were able to detect the implant although it is detectable via an X-ray.
Wahle and Soto will share more details about biohacking for hackers during the Hack Miami conference in May.
Pierluigi Paganini is Chief Information Security Officer at Bit4Id, firm leader in identity management, member of the ENISA (European Union Agency for Network and Information Security)Treat Landscape Stakeholder Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.