Biohackers do exist and those with malicious intentions pose a real threat to businesses. Len Noe, technical evangelist, white hat hacker and biohacker at identity security specialist company CyberArk, is a transhuman biohacker who will deliver a keynote at the 2023 ITWeb Security Summit from 6 – 8 June in Johannesburg and on 15 June in Cape Town.
Noe explains that the term biohacker is used to describe someone who uses health and science to enhance the human body at any number of different levels, from genetics to CRISPR (Clustered Regularly Interspaced Short Palindromic Repeats) of genetic information.
But the term can also refer to people who use the same resources to become an attack tool or vector.
“I am what is known as a transhuman biohacker. I am an individual who has implanted multiple different microchips subdermally in my forearms, wrists and hands. The current microchips allow me to interact with multiple contactless technologies like RFID, NFC, contactless physical security, even Bio-Sensing magnets. These allow me to be the attack tool or vector; I can compromise devices reliant on the above-mentioned technologies through physical contact,” says Noe.
How would this work in practice?
Noe adds: “I can use a proxmark or similar tool to scrape the data from an employee's access badge and then write that data to one of my implants. I can then compromise restricted physical locations on-prem. If I am discovered, I can plead ignorance, I can state that I was just looking around and the door to the server room was open and I didn’t know it was restricted. I can be searched by authorities and no evidence of a crime would be found. In most cases, the worst punishment would be a trespass of the property. Due to the healthcare laws, in most cases there is not even the option to ask about any abnormalities under my skin without a court declaration.”
While it sounds like science fiction, Noe says the reality is that attackers have been using the same tactics, techniques and procedures for years, but were always limited by having to acquire different tools to complete the hack.
“By implanting the tools inside my body, I have achieved the ultimate obfuscation. I can be searched and no 'tools' would be found on my person. To make detection by law enforcement even more difficult, most countries now have laws protecting medical records and are not permitted to even question me on the existence of my chips,” Noe adds.
Noe currently has 10 different commercial bio-implants in both his arms, from the elbow to the fingers.
He explains the reason he had these microchips implanted was purely for the purpose of offensive security. “The only exception to this would be the Walletmor Payment chip that is a credit card that allows me to do tap-to-pay. I have experienced no health issues as a result of my implants and have plans to add a full SBC computer in my leg in the near future… I will discuss this during the presentation.”
A threat no matter what
Malicious biohackers are virtually unknown as attack vectors and this means they are a threat, irrespective of a company’s security posture.
“This is comparable to a walking zero-day attack and currently there is no way to detect modified human beings, based on existing technology and health laws. As far as African companies being in their early stage of adoption, I feel this is the perfect time to bring these types of attacks to light so they can be evaluated as part of the implementation of security controls and policies,” says Noe.
He adds that currently there is no method of detection for augmented human beings, which makes protection difficult. “Removing single points of authentication as well as not allowing people access to mobile devices does help.”
Noe’s core message to the market is to be aware that attacks like this do exist and it is very difficult to protect against an attack that, as a defender, you may not know is even possible.
“Additionally, there should be an effort towards behaviour modification in regards to mobile devices. As enterprises now allow more and more business on personal devices, these need to be better protected. If I were to ask you to see your wallet or purse, you would never allow that, but we have no issues with handing our mobile device over, which in most cases holds substantially more information, without a second thought.
"Remove single points of access as far as badges and access cards are concerned. We put MFA in front of sensitive data, we need to do the same for physical locations. Scan badge plus pin code for access as a minimum.”
** By current numbers, it can estimated that there are over 600 000 consumer grade implants that have been sold globally by the two largest retailers (DangerousThings.com and KSEC.com). This technology is still limited by the need for an external power source, but with advancements in Graphine battery technology, a fully embedded system would not be too far into the future