Microchip implantation: myths and reality

Remember the movie "Terminator" and other horror stories from the near future? Fasten your seat belts, under the cut a couple of real stories about people voluntarily implanting various chips under their skin. Of course, in our country there are homegrown cyborgs too, but let's see how it develops in the West.





')

When the company Three Square Market, located in Wisconsin, offered its employees a cash reward , if they voluntarily allowed themselves to implant a microchip, the Internet was shocked. But just a few days before the so-called “chip party” at the TSM headquarters, the participants of the DEFCON hacker conference eagerly lined up and paid for the introduction of the microchip under the skin between the big index fingers of their hands.



Two of these controversial events raise the question: are these implant chips not a step towards an invasive utopia in which employers track every movement of their employees? Or is it just an easy way to log into accounts and open doors with a snap of your fingers? Thanks to a small but growing number of people (from 50 thousand to 100 thousand people according to the estimates of the bio-hunting company Dangerous Things ) who ventured on this adventure, the society can soon find out the answer to its question.

What are these microchips?

Microchip implants are small cylinders made of lead-free borosilicate glass or Schott 8625 biologically neutral sodium lime-based glass, containing a microchip, biologically neutral epoxy resin and a copper coil antenna. Microchips, implanted by both animals and humans, do not have an integrated energy source and are powered by an external electromagnetic field. That is, they are inert until a reader is brought to them - the source of the EM field.



These implants are often referred to as RFID, but this term hides a very wide range of frequencies, devices, protocols, and interfaces. RFID devices are divided into three frequency groups: low frequency (125 and 134 kHz), high frequency (13.56 MHz) and microwave (UHF) (800-915 MHz). Chips for implantation usually belong to the first or second group. RFID chips are identified using radio waves, and NFC chips are classified as high-frequency.



The company Biohax, implanting employees TSM NFC-chips, and other companies, such as Dangerous Things, allow the user to choose, for example, between RFID and NFC-chips. Typically, RFID devices are used as a replacement for keys and passwords to enter homes, open and start cars, or enter a laptop's operating system. NFC tags can also be used, among other things, to store vCards or addresses of bitcoin wallets . In Sweden, Biohax has become a partner of railway companies and its chips can be used to store ticket information. You can also program chips like other devices or triggers to, for example, touch the phone and call your wife.



Dangerous Things xEM chips operating at 125 kHz emulate common low-frequency chips like the EM41xx, have programmable memory and basic security features, so you can program them or clone EM or HID tags, like ProxMark II ID cards. Their xNT-chips operating at a frequency of 13.56 MHz are based on the NTAG216 chip. They have 888 bytes of programmable memory and 32-bit password protection, they are compatible with NFC. The xMI microchips, operating at a frequency of 13.56 MHz, have 769 bytes of programmable user memory and support the crypto1 protection features; These chips are only suitable for some NFC devices. Microchips xIC have 128 bytes of programmable memory, but are deprived of any protection functions; chips are also suitable only for some NFC devices.



In Dangerous Things, microchip implants are often called transponders - transceivers. But Tara Wheeler , an information security researcher, security adviser at Red Queen Technologies and a cybersecurity expert at New America, said the term was inaccurate when applied to non-magnetic power sources like USB flash drives or implantable microchips. Chips do not have their own batteries and tiny antennas, while the chips actually do not transmit anything: “You’re lucky if you can read a chip at least 30 cm. In practice, you need to touch it practically.”

Health risks

Today, microchips are so safe that they can be used to label your dogs and cats. It is more dangerous to pierce the ear for piercing, because the implants are scarring much faster, within hours. However, Amal Graafstra warns that if you implant a chip yourself and neglect disinfection, you risk getting an infection. Occasionally even catching up with MRSA - a type of staphylococcus that has already become resistant to many antibiotics and can lead to death. The risk of infection is lower if the chip is installed by an experienced piercing specialist with the necessary tools and decontamination procedure. By the way, X-series devices are usually sold already inserted into a sterile device for implantation.



After installing around the chip may appear swelling and even bruise, which pass through a few days. Encapsulation of the chip with connective collagen tissue takes 2-4 weeks, and for two years there may still be a temporary itching or squeezing while the body heals around the chip.



According to Dangerous Things, after the scar has finally formed around the chip, it can no longer be felt under the skin, and in most people it does not protrude until you grasp something big with your palm. If you push a chip through the skin with something hard, it may be a little painful, but you just don’t need to press anything.



The cheapest Dangerous Things microchips are housed in biologically neutral glass housings. They are implanted under the skin between the thumb and forefinger. Although the glass chips, the probability of destruction inside the body is small.



Implantable microchips do not interfere with magnetoresistive tomography, they are not detected by metal detectors or scanners at airports. And if you decide that you no longer need the chip, it is not difficult to pull it out . Chips for animals are covered with biobond (biobond) or parylene (parylene), but the chips for people do not cover with anything, so extract them faster. For example, in 2004, Verichip offered an implantable microchip to unlock personal medical records. He took root in triceps and was covered with biobond. Extraction was not provided, and it was possible to pull out the microchip only with the help of a painful operation that leaves a scar. But modern microchips already imply quick and comfortable extraction.



As Graafstra says, some people complain to him that they implanted a chip against their will. They say that the microchip makes them hear voices, or see flashes of light, or experience other hallucinations. Sometimes the reason is undiagnosed mental disorders, and sometimes the result of intimidation by fraudsters offering chip detection and removal services. If such an advanced neural interface existed, it would become a holy grail for computer-brain interfaces. In fact, the best modern neurointerface implants are capable of doing only slightly more than communicating with several neurons. Graafstra even conducted an investigation into some cases and published the results . Now, when someone comes to him and says that because of the chip, hears voices or sees light, Graafstra recommends that you consult a doctor, preferably a neuropathologist.

Security risks

If you are skeptical of implant chips, it is unlikely because of possible health problems. Hollywood and television often tell how tracking devices are used to hunt for people. But as anyone who lost a domestic chip animal can confirm, it’s impossible to track down anyone with a chip.



Chips can help identify, for example, an animal in a shelter or a veterinary clinic, but the chips do not have GPS. And it is impossible to magically push the GPS into the chip in a magical way. An implantable device that has a tracking function needs a power source that needs to be replaced / recharged regularly. And modern chips don't have batteries, so to read the data you have to press your palm to the reader. In addition, the implant itself must be quite large in order to receive the signal of GPS satellites and transmit positioning data over a cellular network, Wi-Fi or something else.



It is theoretically possible to track a person with the help of his biomodifiers, but in reality it is completely impractical. An attacker will have to place a tag in a person in a certain place, and then make a device that generates a sufficiently strong electromagnetic field so that the chip can work at a great distance. Then the villain will have to cover the reader every square centimeter of the part of the body where the chip is hidden. There is still no economic model that justifies such efforts, especially when there are much simpler and cheaper ways of tracking, like cameras or banal surveillance on your own two. In addition, in our pockets we have mobile phones that are easy enough to hack. And companies can usually read your work email and track the location of anyone who wears a laptop or tablet connected to a corporate network with varying accuracy.



The second big fear about implant chips is related to traditional hacking. The potential threat of virus infection by the virus has received much attention. In 2010, Briton Mark Gasson deliberately infected the RFID chip in his hand to see if he could pass on the virus to an external control device. He really managed to do this, but for a successful SQL injection attack, the user must scan the chip first with a malicious reader, and then with a reader, who must receive data from the access card and without verification transfer them directly to the backend database.



Hacker Seth Wale , using an NFC chip, conducted a URL attack on a browser vulnerability , forcing Android smartphones to open a link that connected devices to a remote computer. On a laptop, Wale, using the Metasploit app for manual testing, caused the smartphone to sogrofirovat Wale himself. Although he used NFC technology, the hacker was able to easily send a malicious URL to the victim's phone.



In addition to these hardwood evidence of the possibility of an attack, there is a fear of cloning attacks, especially when implantable chips are used instead of keys or access cards. It is unlikely that someone will decide to get into someone else's house in this way, when you can just break the window, open the lock with a master key or even take a picture of the master key. The cloning of chips can only be done if the target of the attack is a company, not a private person, and an implantable device designed for personal use can be an easy victim.



In other words, you can copy access cards and even scan RFID chips from a distance.

Companies often ask employees after work to put their work badges in covers that are impermeable to radio waves or in a safe, but many don't remove their badges even at the bar, or just put them in their pockets. And many corporate access cards are also vulnerable to cloning. Although many card systems were designed decades ago, companies continue to use them stubbornly because of backward compatibility and tens of thousands of dollars spent on deployment. Some systems (for example, HIDProx2 and NXP MIFARE Classic) have already been hacked, others (for example, HID iClass and NXP DESFire) are vulnerable and require additional measures, and only some (for example, the new generation of DESFire EV1, DESFire EV2 and HID iClass Seos) use standards-based encryption and do not have well-known vulnerabilities. Weaker cards are easier to clone when they are in someone's pocket or hand.



With all this, one of the drawbacks of biomodifiers is that they can not be disabled or left somewhere. Drew Porter , founder of security consulting company Red Mesa, complains that people constantly carry their badly protected chips with them. This is especially risky if you use a vulnerable RFID protocol like HID PROX items. You can not leave the chip at home, or pull out of the wallet, or remove from the neck. He will always be with you. Moreover, people not only do not part with their access devices, but also like to talk about how they use them. An attacker will not even have to try hard to scout the details, it’s enough to sit nearby in a bar from someone with an implanted chip, and he will ring about it everywhere, “that's how I enter the office!”. Suffice it to say such a talker: “Cool! Very interesting! Will you come here next week? Let's drink together, ”and then simply clone his RFID, gaining access to a building or office.



There are gloves that protect against the electromagnetic field, used when working with devices like Faraday cages, but wearing them is impractical and inconvenient, and for low-frequency chips they may be useless. There are applications for reading, for example, NFC Tools Pro, which allow editing data on the chip, so it is technically possible to reprogram the chip at the end of the day. It’s like releasing a new access card every day, but Porter claims that it is fraught with new risks and costs for the business, including administration and training; leads companies to use smartphones as identification devices (probably without proper management); And besides, people far from the technology are able to create access cards for outsiders. However, most of these risks can be reduced by using more secure RFID protocols.



You can save all the advantages of access cards (implanted and physical) and get rid of the above disadvantages using the second factor, combining cryptographic proof with a biometric option, such as a fingerprint or iris pattern. Graafstra company develops VivoKey, a more advanced solution, but more expensive. This is a full-fledged cryptographic platform designed specifically for storing keys, encrypting, and even making payments and bitcoin transactions. The platform deploys the public and private key infrastructure. The access controller encrypts the datagram in the chip, and the private key decrypts it, then encrypts it and sends it back to the reader.

Pair of indirect risks

Removal of secret information . Porter notes that RFID tags may store some amount of textual information. If the company has strict rules regarding the use of flash drives, then it can be difficult to bring and carry them every day. And if you bring a read / write device once, you can write some data to the implanted chip at work, and quietly leave the office with them. If desired, you can place the chip under the skin closer to the engagement ring to mask it even for very sensitive detectors. Of course, there are more simple options, for example, you can swallow or hide a microSD card on the body. Moreover, it can be written much more than on the chip.



Getting access . Compromising someone's access cards is another way to use implanted chips in a highly secure environment. An attacker can wear a low-access card, while having a high-access, cloned card on a chip, pretending to be in the “high-level” zone on a regular physical map. That is, this attack is more connected with people than with technology.

What to do when the chip becomes obsolete?

In some companies, they may be worried about situations where employees quit and carry off implanted access chips. But everything works differently here: instead of storing keys on RFID tags, as if you were giving ordinary iron keys to people, the RFID readers themselves are programmed so that they give access to specific chips. And when a person leaves the company, the serial number of his label is simply deleted from the database of allowed access.



Even if you consider using an implant as a good idea and know that it is easy to pull out or replace, not many people will want to go through this procedure as often as, say, they change cell phones. Fortunately, today the obsolescence of microchips is not a serious problem. Graafstra put his first chip in his hand in 2005. It was EM4102, which by that time had been produced for about 20 years. Even today, you can buy a reader for $ 10, which will work with this chip, as if you had connected a Bluetooth headset purchased in 1999 to a new smartphone. Technologies do not develop as fast as standards and applications. It is a mistake to think that the microchip implanted today will become obsolete in two years. This is not a cell phone. Chips are built according to standards, and they must be backward compatible as long as the standards themselves are supported.



For xNT chips, the data retention period, that is, the length of time until such a strong signal degradation that you cannot reliably read the data, is 10 years. The number of write cycles is 100,000, that is, if you write to the chip every day, then it will be enough for you for 274 years. And with each rewrite, the record retention period is restarted, so theoretically it can be stored on the chip for about 1 million years.



Those who want to implant chips and antennas from existing transport and payment cards can face the problem of obsolescence, because payment data has an expiration date, and transport systems often change the chips used. But this is not just a reprogramming of data on the map.

Future

After talking with representatives of bio-networking companies, users and researchers, we got unexpected results. A discussion of popular criticisms of microchips often led to a dead end.



The description of potential problems with devices of the next generations that do not yet exist is often associated with rumors about how people are forced to implant chips in Chinese factories if they want to keep their jobs. Or they recall stories about a soldier or babies, also forcibly cleaned (many stories have been completely debunked). Often, articles mix up the use of implanted chips with the most actual problems associated with medical devices or GPS tracking on mobile phones. And all this interspersed with slurred lamentations due to the absence of legislative regulation.



Today, the potential for using implantable chips appears to be limited. So far, the most popular application is to replace physical keys, access cards and even passwords to simplify the login procedure and reduce the likelihood of leakage. At the same time, the drawbacks of the chips are still fiddly. Many of the most alarming concerns stem from misinformation or rumors, and the real potential flaws look no worse than piercing.



But is it worth it? Is it really so difficult or risky to carry keys or remember passwords? It is difficult to talk authoritatively about future threats, but in 2018 many of the problems attributed to implants turn out to be unfounded. Of course, this does not mean that the current methods of use justify the use of modifiers for your body, but so far it is no more risky than a potentially unsuccessful tattoo.