About the talk
Len Noe, Global SE / WhiteHat, CyberArk Software Security professionals are trained to protect against digital threats, but how can they secure against people who are both the attacker and the attack vector? How can a cyberthreat be stopped from attacking a physical being? This session will provide an overview of bio-hacking and types of bio-implants, and demonstrate how compromising contactless technologies can threaten physical and digital security.
Len Noe is a Global Sales Engineer and White Hat Hacker for CyberArk Software. Len Noe is an international security speaker who has presented in over 20 countries and at multiple major security conferences worldwide. Prior to 2001 Noe was a Black/Grey Hat Hacker and learned most of his skills by practical application. Noe has spent 20 years in the areas of web development, system engineering / administration, architecture, coding, and the past six years focusing on information security from an attackers perspective. He also actively participates in the activities of the Information Security communities in Texas, the Autism Society, and many others.View the profile
What kind of my session? This is biohackers the invisible? I want to start today by asking you guys, one, simple question. What is the cyborg look like? You're the word sideboard. What comes to mind? Maybe a Terminator or Star Wars or Star Trek? Everyone? Who knows. The definition will probably have some extent robotics. They walk among us and you may be friends with one of just don't know. It in the true sense of the word. I'm not only an augmented human with microchips in my hand, but I'm also a white hat hacker.
I'm a hacker that is modified my body to take advantage of the available technology into the attack Vector, even more than you. These are my hands. The following capabilities with my current implants in the combination. Ntag216. 13.56, megahertz, NFC, Auntie 5577. 125k low-frequency. RFID with a very large antenna for. I have a next chip, same, ntag216, 13.56, nfcu in t5577 125 kilohertz, low frequency. Flex M1. Magic 1K the 13.56 megahertz. My fairesta. 51 km relationship before and you
id-0 sector. That's completely right. I have a bigger keyesport to crypto bionic implant. This is a 13.56 megahertz ISO. 14443 8th and NFC type for supporting Bes 128, bit, encryption. Finally. I'm also in negotiations were here. We're not going to the technology continues. Brooklyn, today's talk into three separate sections yesterday today and tomorrow. I'm not going to spend a lot of time at the point where science technology and Humanity. The idea behind implant technology inside the human body has been around since the 1950s
with the Advent of the transistor. In the mid-1950s. The ability to construct a fully implantable device was achieved in May of 1958. The first implant Technologies actually placed inside of a phantom. First human to receive an electrical device implanted in the body was in Buffalo, New York, in 1960, and 1964 gave host of the first implant technology that can take data from the body itself for the seventies and eighties. 1990 is when things really started to pick up for the implant community.
Recreation, smart devices are commonplace. Biohackers, our history was forged by the medical profession to address to fish in Seas of the human body from a perspective. By that. I mean that the issues were already there. Additionally. There was no options for an individual to enhance themselves through technology. So, who are we today names? Biohacker grinder. Transhuman, regardless of what name you want to put on us. We all share the concept of moving beyond the human form of
salt. So where do you find implantable technology? The same place? We find everything else. The internet manufacturers choose from. I personally work exclusively with dangerousthings.com. These are just some of the types of implants in technology. Door magnets lifting as well as biosensing. We have flexible, NFC flexible, RFID encapsulated nfce an RFID and believe it or not even encapsulated LED. There are multiple variants Within These categories to address specific requirements produce case.
I'm going to go in through the procedure on how we install the ability to starter vehicles with implants. Imagine never losing your cheese again, or how many people have fobs to access a gym, or shared garage or storage. You all of these could be stored on an implant. What about being able to pay for goods and services with the same methods and Apple TV, or the Android wallet, but you never have to worry about forgetting your phone. Every one of these activities constitutes. Unfortunately,
not all of us are friendly. We've heard all through the years, the attacks in the endgame, may not have changed with a delivery method just come right off the movie screen and into our company's infrastructure and data centers security. Admins know, the normal USB drives fishing CDs, the list goes on and on about how do you address the fact that any one of your employees to potentially have a pool Lennox System to RFID or NFC chips beneath their skin? What if someone implanted HIV or proximity access chip
for physical access? It would be no evidence of any type of compromised. Chip implants utilize the same Technologies in an Enterprise are using RFID door badges NFC for iot HIV or any cards for physical access to you. Number of regulations in August, that companies are required to do for compliance. How would you know if someone is bypass your security with wireless charging? Outer Edge extreme. This is not a simple process in making sure that the SEC is completely sealed is called the number of individuals
trying to get one in Planet. These devices that Wi-Fi, Bluetooth capabilities and can be accessed from a mobile device. They can be made into Rogue access points as well as Commander control servers. Possibilities for shield, Linux platform are only limited by one's imagination. Originally intended to transfer. The peg. Leg was originally designed to Leverage The Pirate. Fox River. As anything in the technology space people took that simple idea and it branched out some more creative or devious areas based on your perspective.
These devices are headless, but have a Wi-Fi access point in figure to a lot access to be implanted device. Once connected, the attacker has the access to a terminal 4 interactive process performed on our active scans and Suites promo energy, Bluetooth mouse shark attacks. Inject automated a jacket. Phone number to Peg. Leg implants is not widely known as this was a community-based project will take a moment to think about this. How is security professional. Can we bring you a secure location? People have the ability to conceal for computers within the body may require
elevated clearance to access files or physical location. Power and control from the security systems by office stating systems that could be leveraged for various purposes. Let's continue with our next attack. Back to the issue of physical access. Any company will have restricted locations on priem the Executive offices to supply rooms. I need to keep access restricted in some locations is just a part of Daily Business. Additionally, I would bet a large
number of people that feel that this type of badge and reader system, for physical access is an acceptable risk, factor location to secure. This is our essay. I really hope nobody here believes that how many people have an access badge on a lanyard or retractable belt with most of the time, how many of us are spatially aware to the point where, if we were talking to someone, would you notice my poem that you will like the proxmark chameleon mini? It was able to read your access bag
while we were gone. I know there's no way that somebody would be able to do that to me. So I really hope you're right. Peace. He's been bought an access badge isn't new. The technology has been commercially available for over a decade. What mix is a backpack. Two different is there's no evidence of the breach. I'm like the old days where an attacker would need to have a copy of the Quran. She or a battery pack for now. It's hackers. Can write this information to a subdermal implant and proceed with no way for security. Professional to know that they've asked
us their system or how they been compromised. Talk about our first attack demonstration. Handshake is a clone and replant back to read the data on a Carter fob. And then the store that they were tagged. In this case. I'm not rewriting the implanted in my left hand. So let's go ahead and do the bikes. There is some social engineering involved in this. So we see my badge. And this can be done this quickly. I hope my reader up, click the button and we can see on my screen,, I've not been able to import all of the problems that key. Now. We're going to turn around
and we're going to actually export that data. We can see there's all the information contained within my access card. I'm here. I'm going to turn around and use that same information. And I'm going to rewrite that information back down to my hand. Just like Matt. Temple. Now, when I go ahead my skin my hand will see that I have the exact same information that was on my original chip within my access. Now, we can go ahead and use a different program. And we're going to actually write to data from my ID card to my hand. So we're going to give it a friendly name of implant.
Am I going to use a different tool on my cell phone? Part of the point behind this is to show this all can be done through a mobile device. While we're sitting there talking to each other sometime once, I actually have that initial read, I can use that data as many times as I want repetitively. So once again, I turn around and open up my classic tool on my mobile device. Import the tag that we had just done when's ID. Okapi. Now, I'm going to go ahead. And we're going to enforce the second key.
It's just a moment. While imported. now, all we have to do is going to take a lunch and we're going Please show the differences. Original. It was actually on my ID. Do see that there is a different sector zero. But this point I'll have to do is write my tag. Select my original card ID. What all the different Keys? Use my phone? Program, the chip in my hand, and now when I turn around and I come back and I do an additional scan actually, take a look at what type of data is actually on my hand. You'll see that. Now the chip has been Rewritten.
So that the information in the all of the sectors on my hand now, match me all of the sectors. There were originally on my ID. What you feel having to walk through these last steps? Here we go. Reading the chip. After it's been Rewritten. Go back to my device will see that we have a new card that's been identified. You create the dump to go back and we do our death. Will see that. It is exactly the same. So we think about this, any of the standard, my fair style cards, could very easily wind up being cloned in this exact same
manner. What is exactly the same? Free scary, huh? NFC or near field. Communication is amazing technology complicated to explain functionality with iOS 11, iPhone 7 and 8. And acts can be used to read NFC tax, iPhone 6 and 6s can be used to make a payment. Apple at this time at only allows NFC tags internal apps. There's no native support for cheering us on this one from now. I'm not heard of any road map for iPhones. But as the functionality continues to be adopted for industry. I have to leave the security.
Like, I just stated standard NFC, utilization can be almost anything from being a files or co-worker friend to using a key fob or app to transmit signals to allow some actions. Take place. Sure, hard to tension power from the receiver. There's no internal power required. The implant I'll be using for this first attack will be the flex next NFC chip. Movie showing two different attack factors that explain NFC. So, let's take a look at the first attack leprosy. This attack may not always work. As there are two conditions that need to be met in order to
For starters, NFC must be enabled. Allow apps from unknown sources. Must be enabled and you really need to pee. Like I said, it's just a matter of social engineering, a situation where I can get my hands physically on your device. I hear it all the time. I never let my phone out of my sight. This attack as well as flesh, hook are designed to be performed in plain sight and actually standing right next to my victim. I don't think it would be a large large stretch to assume if we work together and maybe even if we
didn't make a scene about an issue with my wife, or my children or my granddaughter and I was pleading for someone to help me make a call. I know the Good Samaritan and someone would be there. We all have a built-in control to try and avoid conflict as well as not wanting to be viewed by our peers is uncaring as an attacker. I know this and I will do everything in my power to take advantage of What's the phone or tablet to do my hand receiver in the device will pick up the tag? I have programmed in my hand that's pointing to a web location to painting. An infected APK that was created using
metal Amazon plan. On bringing one. It's part of the connections. Back to the command-and-control server. Forgot my device in my hands and ship is programmed to either install or save the file. I go through the motions of what appears to be making a phone call. When I'm actually doing is loading the APK and then quickly returned to the voice back to you. This is for my persistence as well. As a hidden icon for you is the owner would not be able to see anything out of the ordinary as well as not finding anything in the applications. What time
is your device? You do banking with this scenario? I'm already in your phone before I even left the room. Server, I can gain access to contacts. Email photos, download, essentially anything that's on the device. So let's go ahead and So what we see here on the screen, this is my setup on my attack box in the top set up an ngrok session for the ability of obfuscation. Let me show you how quickly this attack really happened. So, all you have to do is start my medicine
listener, listening for the connection from that APK, that I'm going to install on that Target device. I go ahead and set it up for Corning, the configurations on the front porch. Here. We are. Just a standard cell phone. Oh my gosh. I'm having an emergency. Please. Let me use your phone. I need to make a phone call. I getting close enough. All I need to do is triggered that NFC tag in this. You can see on the screen, its prompting me to download or cancel. This is the time where I can be making it look like I'm trying to remember my phone number for my
Father, my injured wife, my daughter, all the while creating such a scene that you were paying attention to my physical activity. That's it. It's over, it's done. I can hand you your phone back. If you take a look at the screen, you'll see that. Now I actually have a shell to your device. Are you assistant while I'm on your Android? I can dump your call log. There you go. Go log dump. I know everyone that you just how I'm dumping your SMS messages. I can't even open a complete shell and start navigating the file structure of your device. I'm not going to go too much into the actual
physical attack of the device because what I'm trying to focus here on is the vector, the vector of me as the human element as So that's fast. Phone is now been pwned. I program the chip in my hand to a specific website has been compromised with the beef. Sweet Leaf is the browser exploit frame disinfect hooks browsers, any devices that connect to it, as well as potential. For the bee sweet, the attacker can enumerate the local land. The devices connected to
as what was executed, as we just talked about. This really isn't a problem for any good hacker with any type of social engineering skill. What makes this attack more dangerous than Most mobile devices have some type of way and take a look at how this works. Again. We can start to my parrot attack box. The beef sweets. Just a moment to get started. And once it's finished, I will actually have a running web server that if I can have you as in your browser, connect to justify the means of making
that initial connection. I'm in When I go ahead and open up the beach control panel, and you'll see the person has its own you. I again, I'm not trying to take credit for beef. I'm just leveraging beef for the attacks that are being spawned from my implants. So I have a computer. I have a phone. Oh my goodness, a man. Something on YouTube. In this case. I have an exact duplicate of the putty installation, but that's really Now we can see on the screen within the Beach Street. I actually
have I'm here. I have the ability to start launching any number precompiled modules, and its execution just to show that we've actually got a true. Look into this browser. I'm going to go ahead and I'm just going to run a location check. And if anybody's wondering, currently, I'm located, just outside of Lost. Go ahead, me run Arkham and we can actually look that right there. Texas City Pflugerville. And if any of you guys want to come looking for me, I'm really not
in Pflugerville. It's, that's just the closest city to me, but it's not easy again. I'm not trying to say, I created to be sweet. I just really appreciate the ability that they give me. Who allowed myself to attack people utilize me with chips that are actually already in my hands. Just replying to run around. We're going to launch a couple of few other things to do a ping sweep. And just like this were actually able to see any devices that were actually connected to the same plant. This brings us to the Future.
We become used to the mall. We talked about the future in Plants. It's a super trying to write a new science. Fiction companies. Like Tesla are working on technology space in between the brain directly to a computer system. This sounds like a man-in-the-middle scenario. Just waiting to happen. Products like the Willets Bluetooth receiver, that requires no batteries and gets its power from the air. We all know the Bluetooth is not vulnerable, right? Imagine. If not a task to jump from a person to a
person. What's the weather for Wi-Fi? Transmitters and receivers at work was your neighbor? These are just what we know about currently the biggest restriction to Advanced Technology implants to spell the power source does not currently an effective way to provide Power to any devices on a commercial implant leg and then he will be back, Progress, power. What's the address for possibility of 24 by 7 access to an embedded system. The body is not a far stretch
surrounding planets acknowledge. Legal perspective. There's no federal laws regarding As you can see, from the graphic, there are multiple states that have adopted different types of legislation. Essentially, two types of laws have been passed around microchip implants in the USA. Why is just a ban on employers, band, 80, employees, microchip themselves? And number two is all out General ban on microchip implants. So let's talk about the liability from an employer's perspective. Does that even if it's something make that employees
using the gym or garage? Or anything that has nothing to do with the company is much more obvious by companies to replace access badges with implants for physical security. What is this? May help,. I lost my badge, perspective. It doesn't enhance the security posture for a company. Remember, implant chips at this point are static. They require a power source to be able to function just like with the handshake attack Bad actors could use the same tools and scrape the Target in plant information. Same as if it was a real difference being that you can take your key card and lock it at home. When
you go out implants her on all of the time. There's a receiver within range. They will be there. 24/7, access the physical, they do contain. Shuffle of morality and ethics,. Unfortunately faith comes into play. I want to take a moment to say that I am being disrespectful to any religion. I'm simply speaking just to the questions. I have. Personally heard an international speaker. I had discussions with people all over the world about my implants. The discussions typically go in one or two directions.
Mostly, it starts with dear from whoever's, talking to me. I've been told that I have the mark of the beast. I've been told that I'm being tracked by the man. I'm going to ask the exact same ship that people were put into their dogs or cats, all of these conversations and the fear of the unknown or the difference. I've had a quince has told me that they are physically afraid of me due to my implants. I don't know what they're afraid of. The truth is the power more people like me out there than you could ever imagine. The difference is that I don't have a problem with people knowing
who and what I am. Many others like me cheaper implants secret over the concern of the social stigma associated with shipping with the individual mandate from any type of authority. Next, how far is too far? We briefly touched on the test Wonder Link in the Pac-12. Very different products with broad, sweeping ramifications to the individual and one for the lead, actor has hard drive in his brain, was used as a storage device, as a courier for stolen data, or the Matrix where to learn a new skill set. We have that knowledge within our mind. The genie is out of the bottle and there's no way
it's going back in regards to miss you. There's nothing, you do lateral across-the-board, it will in most location. Become a corporate decision on how to address shipt employees without better understanding of the technology is being discussed. These choices may be made for the wrong reasons to say anyone with an implanted technology and automatic breath would be to say that any car owner to be a vehicular homicide suspect. Now, let's talk about some cigarettes. In the
next week, you should be able to identify up there, maybe any contact with systems that are deployed with me. In the next three months, we should be able to have a full understanding of the scope of our vulnerabilities as well as starting to evaluating to buy me a new security protocol. In the next six months, we should be at the implementation stage of a second Factor ability to access with only the available tag information. I would like to take a moment to talk just about some of the mitigation strategies on both RFID.
What can the switches for RFID switch? Require both the RFID tag as well as the code be entered into a keypad. Lock, password is a 32-bit password, which must be transmitted be for a tackle. Transmits data, skimmers will be unable to access the data since they can't provide the password. This is a simple and very popular way to protect passive UHF systems, which often has limited to Basic access control the reader must apply specific key before the tag will reveal any personal information
locking pencil skimming. This method is a commonly applied to protect the sensor data. Stored passwords and passports from being read by Outsiders in this process cypret using the key which is known to both entities. If the tag is successful and then send the line of code reader or certain they can transmit their date. As no other reader will know what, that specific special he wants. And eavesdropping, because the key itself is never spent between the reader in the
chat. And I see is if you're not using NFC turn it off. Stay on top and Patch management with manufacturers update their software. Make sure that you stay current. Education. Make sure to educate your employees about the NFC protocol in general. And the inherent vulnerabilities that it implies. And finally utilize blocking shields for any type of NFC tags when they're not. This point like open the store up and questions. And finally, I'd like to say thank you for your time. I hope to see you all out in the world again, and for anyone that's interested. There is going to be an
Buy this talk
Buy this video
Our other topics
With ConferenceCast.tv, you get access to our library of the world's best conference talks.