Biohacking: The Invisible Threat

[Music]

[Music] all right let's go ahead and let's get kick this off i've got a limited amount of time so for those of you who are in the session this is biohackers the invisible threat if this was not the session you were intending you're still in a better place this is going to be an awesome presentation so let's go ahead and let's kick this off so starting out let's do a little bit of an introduction my name is len no i'm part of the global solutions enablement team and i am actually one of cyber arts white hat hackers i'm a global security speaker and i've been with cyber art for going on eight years uh i've been in i.t professionally for

over 25 years in roles ranging from programmer to systems architect i've been breaking into computers since the commodore 64 days and i spent a really large amount of time in my youth as a black cat or a grey hat hacker i am professionally trained as well i come as the fact that i come by a lot of my knowledge by practical application i'm really active on social media and i invite everyone here to reach out over linkedin check out my github and my youtube channels for additional security related content so let's start this off by asking a simple question what does a cyborg look like when you hear the word cyborg what comes to mind maybe a terminator star wars

star trek anyone who's ever heard the definition probably has a vision in their head and i'd even be willing to bet that it's pretty shiny in some extent robotic looking i hate to be the one to pop your bubble but that's not the case cyborgs are not only on the movie screens anymore they walk among us and you may be friends with one and don't even know it these are my hands i am a biohacker in the truest sense of the word i'm not only an augmented human with microchips in my hands but i'm also a white hat hacker i'm a hacker that has modified my body to take advantage of available technology to turn myself into

the attack vector i'm going to explain what my current chips are as well as giving you a road map on what i'm looking to do in my journey to continue to become more than human so as i said these this these x-rays are my hands and i have the following capabilities with my current implants i have what's called a flex next this is a very long range rfid nfc chip i have the earlier version of that which was just called the next it's the same as the flex next but the range on this is much much shorter this was actually the very first implant that i ever got i have a flex m1 magic 1k

this chip allows me to emulate any number of older access cards from public transit to membership tokens to physical access i have a vivoki spark2 this is a cryptobionic chip that can perform strong cryptographic functions currently i have it set up as the uh key to open my bitcoin wallet since the timing these x-rays were taken i've actually got two additional implants i have a flex em this allows me to emulate most of the popular physical access cards including the prox card one and two and three hid indala pyramid and a ton more and i also have a titan biomagnet this is a magnet that allows me to actually feel electromagnetic currents and magnetic fields

so augmented humans are not science fiction we're here we're not going anywhere and as the technology continues to evolve so will we i've broken this talk into three parts yesterday today and tomorrow i'm not going to go into and spend a lot of time on the history of who we were just enough to show that the biohacker or transhuman is just the point where science technology and humanity meet the idea behind implanting technology inside the body has been around since the 1950s the patent for the first cardiac pacemaker was submitted in 1952 and was the size of a table radia this was not a fully implantable solution and required leads to be connected to an external

power source with the advent of the transistor in the mid 1950s the ability to construct a fully implantable device was achieved in may of 1958 the first implantable technology was actually placed inside of a test animal the first human to receive an electrical device implanted in the body was in buffalo new york in 1960 the tech up to this point was pretty static and didn't allow for much in the way of conditional executions or modifications from the original programming 1964 actually gave us the first implantable technology that can take data from the body itself through the 70s and 80s there were advancements but nothing that would really set the world on its ear you know 1990 is when things really

started to pick up for the implant community from the creation of smart devices all the way through today where the discussions of ai are pretty commonplace for biohackers our history was forged by the medical profession to address deficiencies of the human body from a reactive perspective by that i mean the issues were already there additionally there were no options for an individual to enhance themselves through technology so the question now is who are we today people like myself are referred to by multiple names biohacker grinder transhuman regardless of what name you want to put on us we all share the same concept of moving beyond the human form that we were born into the term transhuman was

actually first coined by julian huxley in 1957. the movement he created was fueled by multiple people looking to extend the capabilities of the human being itself so where do you find implantable technology the same place we find everything else the internet now before i go any further i do want to say i do not have any type of additional relationship with this company i just happen to pick this company as the one that i deal with they're called dangerousthings.com and the only reason i even say that is because i get a lot of questions in the q a as to where did i get my implants do your research if this is something that you're interested in there are

multiple you know different commercial grade implant distributors do the research this is just who i chose you know there are a ton of different kinds of implantable technologies available out there we have magnets both lifting and biosensing we have flexible membrane nfc we have flexible membrane rfid we have encapsulated nfc and rfid and for all of our you know really club style people the ones that want to go out and have a great time on friday and saturday nights we actually even have implantable leds and there are multiple variants within these categories to address specific use case requirements i'm not going to show the procedure on how to install these implants let's just say there are needles scalpels

dermal elevators depending on what type of implant we're going to get i will throw a quick shout out here if this is something that you are interested in seeing i'm doing another presentation next week for one of the uh def con chapters in newcastle uk and i you can search for me on eventbrite and you will have no problems finding this it's for dd44191 so these devices were designed to make people's lives easier we have the ability to start our vehicles with implants imagine never losing your keys again or how many people have fobs to access a gym or a shared garage or a storage unit all of these could be stored on an implant

you know what about being able to pay for goods and services with the same methods as apple pay or the android wallet but you never have to worry about forgetting your phone every one of these activities would constitute a legitimate use case unfortunately not all of us are friendly as security professionals we need to start looking beyond what we're comfortable with beyond the normal attacks that we've heard about for years the attacks in the end game may not have changed but the delivery methods have come right off the movie screens and into our companies infrastructures and data centers security administrators know the normal attack vectors usb drives phishing cdes the list goes on and on but how do you

address the fact that any one of your employees could potentially have a full linux system to rfid or nfc chips beneath their skin what if somebody implanted a human interface excuse me an hid or a proximity access chip there would be no evidence of any type of compromise to the naked eye the chips that i'm talking about implement the same technologies that enterprises are using rfid door badges nfc for iot my fair hid or in dolla or pro for proximity cards and that's just a few you know with the number of regulations and audits that companies are required to do for compliance how would you know if somebody has bypassed your entire security policy and

brought a rogue asset into your environment you know the very simple answer is you wouldn't the peg leg is a single board computer that is modified to a minimalist form factor with a wireless charging receiver and then encased in biopolymer uh no i'm not a robocop i'm the farthest thing from a cop you'll ever find you know most cops don't look like me and didn't spend most of their time in their youth uh as a black cat um so continuing on with this i'm sorry that just caught my eye um the peg leg like i was saying it it's got a wireless charging receiver encased in biopolymer and then implanted within the body this is on the outer edges of extreme

even for most grinders or trans humans this is not a simple process and making sure that your spc is completely sealed has caused a ton of individuals that have attempted this implant to require emergency removal surgery this still doesn't stop many more including myself from trying to get one implanted these devices have wi-fi as well as bluetooth capabilities and can be accessed over ssh from a mobile device this will allow a bad actor to have access to binaries or even something as widely known as responder they can be made into rogue access points as well as command and control servers you know the possibility for a concealed linux distribution are only limited by one's imagination

originally intended to act as a logless file transfer drop the peg leg was originally designed to leverage the pirate box software however as with anything in the technology space people took that simple idea and it branched out into more creative or devious areas based on your perspective full linux distributions have been implanted these devices like i said are headless but they do have that wi-fi access point configured to allow access to the implanted device once connected the attacker has access to a terminal for interactive processes or can be set to perform non-interactive scans and suites for low-energy bluetooth it could be utilized for an attack like blueborne oh yeah i know uh or working in conjunction with a usb

share application like virtual here uh no slides aren't stuck we haven't moved on yet uh an attacker could u execute mouse jacking attacks inject automated payloads with tools like jacket all while standing and having a casual conversation at somebody's desk the total number of peg legs out there is not widely known this was very much a computer a community-based project however the fact that there's at least one individual that has this should be more than enough for any security administrator to take notice you know so let's just take a minute to think about this how as a security admin can we regulate secure locations that people have the ability to conceal full computers within the body this becomes

an even greater challenge for companies and governmental agencies who may require elevated clearance to access physical files i'm sorry physical locations or specific files this essentially removes the power and the control from the security authority by obfuscating systems that can be leveraged for nefarious purposes so let's continue these are some of the attack vectors that i actually released back at rsa back in february um we'll get into the uh uh q a a little bit later and we can talk about airports tsa and all that when i get done i promise i'll give you guys time um we're going to start our showing actual attacks with my implants so the first one is around the issue of

physical any company out there is going to have restricted locations on-prem whether that's executive offices to supply rooms to server rooms the need to keep access restricted in some locations is just a part of doing business i'd be willing to bet a large number of people in attendance here have a badge that looks kind of like one of these hopefully you don't look exactly like every piece of hacker clip art ever made but yeah that's my actual work id you know i bet that uh a lot of you guys out there have those and i would also be willing to bet that a lot of people feel that that type of badge and reader system is an

acceptable risk from an audit perspective and as such should appease your c-level execs to the fact that your physical locations are secure i really hope nobody here believes that you know how many of us are spatially aware to the point where if we were talking face to face okay let's let's add a little caveat to that and say pre-covered and if we were to you were talking to somebody say somebody like me would you notice if i palmed the tool like the proxmart chameleon mini and i was able to re scan your access badge while we were talking i hear it all the time that there is no way that somebody would be able to do

that to me well i hope you're right because there are countless case studies out there that involve clone to access badges the act of cloning a badge isn't new the chairman this technology has been commercially available for over a decade what makes this attack vector different is that there's no iocs to the breach unlike the old days where an attacker would need to have a copy of the clone key or a battery pack for the prox mark to replay the scrape data now attackers can write this information to a subdermal implant and proceed with no way for any security professional to know how their access system has been compromised so let's talk about our first attack

demonstration i named this attack handshake handshake is a clone and replay attack that utilizes a tool like a prox mark or any other tool that can actually read rfid data and then take that data and copy it back down to one of my implants in this case we're going to be using the implant in my left hand which is the myfair classic 1k so let's go ahead and let's kick off the video so this is a bit of a little bit of a long video so we're going to talk this through we're going to start off by actually just triggering our proxmark chameleon mini like i said yes this is my my badge and before anybody out there

who wants to try and use the information i'm going to show you i've had it reprogrammed since then but what you can see here is we've actually been able to read the uid of my actual badge from there we can go ahead and create a dump file we're going to rename that after we take a quick look at it and we're going to give it a friendly name of lens id and we notice that for the most part all the sectors except for sector 0 line 1 are all the same so now let's get a base read off of my implant so we're going to go ahead and hold the prox mark up to my implant and then

we're going to switch the screen back over to our app and we'll see that we've now acquired a new uid again let's go ahead and we'll take a look at the dump and we will give it a nice friendly name of lens implant so there's our our dump and let's go ahead and rename this to a nice little friendly name of implant so now what we're going to do just to show you as an attacker once i have that scraped i can do anything i want with it so what we're going to do is we're going to actually upload these into google drive if i'm part of some type of hacking collective i can actually work with the rest of my

team or even if i'm just a lone individual this gives me a backup that i can come back to at a later time from there we're going to go ahead and i'm going to open up the myfair classic tool i'm actually going to pull both of those dumps into this tool and then we're going to go ahead and do a diff on them so this takes just a moment to do navigating up into google drive pulling down those dumps importing them into the my fare classic tool imported the first one okay now we're going to import the second and then we're going to go ahead and we're going to do our diff so we can actually see the differences

between the implant and the actual id so we're going to start off with uh implant and then we're going to go with lens id you'll notice that the only thing that's different is sector zero line a so now all we have to do is go back into the myfair classic tool turn around select lens id and then turn around and write this back down to the implant on my hand it takes just a few moments now keep in mind if this was a real attack this can be done in a bathroom that somebody could walk outside this does not need to be a situation where the attacker needs to leave the proximity of the location where the card

or can be used or where it was actually stolen from so let's go ahead and we're gonna there's our new tag let's go ahead and start mapping the id directly down to the implant now we'll go ahead we're gonna go back into our uh proxmart application and we're going to scan my hand now that we've written the data back down again we're going to get a another uid that it's found and we're going to create that dump file and we're going to call this one implant 2. we'll notice that the uids are the same it's the same implant so now if we go ahead and take a look we'll see that my implant the data contained in sector zero line

one is exactly the same that was on my original badge at this point anything that i do in terms of accessing your physical locations your security team would have a very difficult time trying to understand how i got in there even if i was searched moving on to our next attack vector this one's going to be around nfc or near field communication this is an amazing technology that many of us have in our pockets right now every android device out there that that's been created within the last two to three years i mean there were some cheap ones but pretty much all of them have full access to transmit or receive nfc data natively apple is a bit more complicated to

explain functionality with ios 11 iphones 7 8 and x can actually be used to read nfc tags iphone 6 and 6s can be used to make nfc payments with apple pay but has no ability to read standalone nfc tags native apple at this time only allows nfc tags to be read via apps there's no native support for native reads so i can almost hear all the iphone people out there cheering you get a pass on this one for now but i was reading an article as recently as last week where a lot of the the proprietary access to the apple nfc chip is currently being challenged in europe we'll have to wait and see how this

plays out but the iphones may wind up being as vulnerable as androids very soon so like i just stan you know so moving onward standard nfc utilization can be almost anything from beaming a file to a co-worker or friend using a key fob or app to transmit a signal to a receiver to allow some type of action to take place here's where it gets interesting nfc gets its power from the receiver there's no internal power required to be able to keep a loaded tag in waiting the implant that i'm going to use for this first attack is going to be that large flex next nfc chip with the the great range on it i'm going to be showing you guys two

different attack vectors that exploit nfc the first one i named leprosy the second one i call flesh hook same protocol two completely different attacks to completely different payloads the first attack leprosy this attack may not always work as there are a few conditions that need to be met in order to be able to execute properly first nfc must be enabled and number two allow apps from unknown sources must be enabled under the developers tools at this point it's just a matter of social engineering a situation where i can get my hands physically on your device i know i hear this every time i've given this presentation i never let my phone out of my sight that's fine i don't need

it on your site this attack as well as flesh hook are designed to be performed in plain sight and actually standing right next to my victim i don't think it'd be a large stretch of the imagination to assume that if we were all actually physically together and i was to make a huge scene about an issue with my wife or maybe my daughter or my granddaughter and i was pleading for somebody to help me make a phone call i know the good samaritan out there and someone would be there to be my victim we all have a built in inane sense of decency and nobody wants to appear on caring and me as an attacker and a

social engineer i will do everything in my power to take advantage of it once the phone or tablet is in my hands the receiver in the device will pick up the tag i have programmed in my hand that is currently pointing at a web location containing an infected apk that was created with msf venom anybody not familiar with familiar with msfnm it's part of the metasploit attack framework and used to create reverse connections back to the command control server so i've got the device in my hands the chip is prompted me to either install or save the file i go through the motions of what appears to be making a phone call what i'm actually doing is loading the apk and

then quickly returning the device back to you this attack is going to provide me persistence as well as creating a hidden icon so you the owner would not be able to see anything out of the ordinary in your applications list what if this was a work phone what if this was your device you do your banking with in this scenario i'm already in your phone before i've even left the room and from the metasploit server i can gain access to your contacts emails photos downloads essentially anything that is on that device so let's take a look at what this looks like in a real attack so let's set the stage a little bit the top

terminal is my ngrok session and the bottom is where we're actually going to be launching our metasploit console so we start off by launching uh metasploit and then we're going to go ahead and load our listeners resource file in this case it's going to be leprosy and rock and we'll start our listener at this point watch how fast this actually happens oh my god thank you for letting me use your phone oh my goodness what is my wife's phone number um shoot uh seven three four i mean come on who actually remembers what are who remembers phone numbers anymore they're contained they're all in my phone so oh geez seven three four four six oh geez the phone just actually

hung ran out of power a second ago i can't tell you how much i really appreciate the fact that you're helping me out like this seven three four oh my god i can't remember here take your phone i'm just gonna go charge mine that's all it took you can see from my medici my metasploit uh framework i've already got my reverse connection going from here i'm not gonna do too much as far as the the post exploit just to show that we actually do have the connection i've dumped the call logs sms and i'm just going to quickly jump into a shell to navigate in the actual storage of the device and show you that

we're actually in the device so that quickly i can be in that device before i've even left standing there so for our final demonstration we're actually going to be using introducing my attack flesh hook in this use case i have programmed the chip in my hand to point to a very specific website that's been compromised with the beef suite beef is the browser extension exploit framework disinfects or hooks the browsers of any device that connects and allows remote code execution as well as persistence through the beef suite the attacker can enumerate all the local land that the device is connected to as well as execute advanced phishing attacks executed on the device itself again this requires just a little bit of

social engineering but just like we just showed this is really not a problem and that is honestly all that's required so again we're going to do this real quick let's go ahead and show you guys what flush hook looks like so the first thing we're going to do is actually go ahead and start the beef suite and the truth is this attack actually takes less time than it does to actually open up beef so we've got our our beef running now let's go ahead and log into the web ui from here we're going to go ahead and log in as the beef user and you'll see on the left hand side of the screen if you're not familiar with

beef right now i have no online browsers so once again oh my goodness hey man can i borrow your phone for just a second in this case what i've done is created a complete duplicate of the putty website but this isn't putty just like before if we watch our beef suite console we'll see that now i actually have an android device that's actually been connected once again not really going to be doing a lot in terms of post exploitation because the whole point behind this discussion is the attack vector so but i will jump in here just a little bit just to kind of show you that i am connected uh to curtis blaz i hope i'm not

mispronouncing your name correct never give anybody your phone again so what i'm going to do is i'm just going to run a quick little geolocation script and we're going to go ahead and take a look here and you'll see here it says that i am in texas closest city pflugerville that is where my my switching station was i do live just outside of austin texas so this brings us to the future who will we become as technology continues to evolve when we talk about the future of implants it's almost as if we're trying to write a brand new science fiction movie companies like tesla are working on technology like the neural link this is a brain implant that will allow

interfacing between the brain directly to a computer system this honestly sounds like a man in the middle scenario just waiting to happen products like the will it this is a bluetooth receiver that requires no batteries and gets its power from the air and we all know that bluetooth is not vulnerable right ever heard of blueborne imagine if that attack could jump from person to person or what about implantable wi-fi transmitters and receivers there's a product right now in development called the neurogram nobody's ever been able to compromise a wi-fi network right well the neural brain really is hoping to turn massive amounts of human beings into one of the world's largest wi-fi mesh networks so these are just what we know about

currently the biggest restriction to advanced implantable technology is still the power source there's not a currently an effective way to provide clean power to any devices on a commercial implant it's the same issue with the peg leg and why we have that need for that indirect fast charging it's not always the computer technology that needs to catch up in this case the only thing holding back progress is power once that's been addressed the possibility of a 24x7 access to an embedded system in the body is not a far stretch i want to take a moment here to talk about the legality morality and ethical issues around implanted technologies from a legal perspective there's no federal laws regarding

microchip implants at the state level as you can see from the graphic here on the screen there are multiple states that have adopted different types of legislation there are essentially two types of laws that have been passed around microchip implants within the u.s one mainly focuses around employers and one that is basically more general the first one is a ban on employers mandating employee microchip implants and yes this was actually attempted there were some companies out there that tried to force their employees into getting microchipped to address issues around time clocks and attendance and then there's also just a general ban on any type of selective or elective style microchip implants period within certain states

so let's talk about the liability from an employer's perspective if an employee gets chipped does that in and of itself make that employee a security risk what if they're just using the chip to access a gym or a garage that has nothing to do with the company but the chip could be used in an offensive manner would that be something that a ciso would want to know we allow employees to bring personal phones to work excluding restricted areas but detection is a hell of a lot more obvious much of the current legislation stems from a push to replace access badges with implants for physical security but as this main help from uh i lost my

badge perspective it doesn't enhance the security posture for a company remember implanted chips at this point are static they require a reader or a power source to be able to function now just like with the handshake attack bad actors could use the same tools and scrape the target's implants and performation the same as if it was a physical key card the main difference being that you can take your key card and lock it at home when you go out implants that are on all the time if there's a receiver within range they will read that chip there's currently no off switch and as such attackers now have 24x7 access to physical access data when the concept of morality and ethics

come up unfortunately the topic of faith typically comes into play as well i want to take a moment and say that i'm in no way trying to be disrespectful to any religion faith or ideology i'm just speaking to questions that i have personally uh as an international speaker i've had discussions with people all over the world about my implants discussions typically go in one of two directions mostly it starts with fear from whoever is talking to me i've been told that i have the mark of the beast i've been told that i'm being tracked by the man i've actually had somebody ask me if this is what happened after i got my covet vaccine all of these conversations are driven by

the fear of the unknown or difference i've had acquaintances tell me that they are physically afraid of me due to my implants don't know what they're afraid of it's almost like they think i'm gonna turn into a terminator and go on a rampage the truth is that there are more people like me out there than you could ever imagine the difference is that i don't have a problem with people knowing who and what i am while many other people like me keep their implants secret over the concern of the social stigma that's been associated with microchip the decision to augment ourselves should have no weight in my opinion in regards to the issues of faith or morality

provided that the decision is still left with the individual and in no way a mandate from any type of authority i did say earlier that not all of us are friendly but most of us are finally i'd like to ask how far is too far you know we've briefly touched on the tesla tesla's neural link and the peg leg two very different products with broad sweeping ramifications to the individual as well as the employer and law enforcement i'm gonna carbon date myself here but i remember a movie from back in 1995 called johnny mnemonic where the lead actor had a hard drive in his brain and is used as a storage device by a courier for stolen data

or the matrix where if we want to learn a new skill we just upload the instruction set and we've got that knowledge in our minds the genie is out of the bottle and there's no way it's going to go back in as technology continues to advance and improve the quality of life that we have we need to remember that any tool regardless of what its original intent was meant to be can be misused and as security professionals we need to be aware of this and adapt our countermeasures to include these new attack vectors the fact that there's nothing unilateral across the board with it means that in in most locations it's going to come down to some type of a corporate

decision on how to address shipped employees without a better understanding of the technologies being discussed these choices may be made for the wrong reasons to say anybody with an implanted technology is an automatic threat in my opinion is the same as saying that anybody with a car could potentially be a vehicular manslaughter suspect so let's talk about a few takeaways you know if you're really want to get these contactless technologies and protect yourself against these attack vectors within the next week or two identify if you may have any contactless systems that are deployed within your environments within the next three months you should be able to have a full understanding of the scope of your

vulnerabilities as well as starting to evaluate and define the addition of new security protocols to add as a second factor to those contactless configurations within the next six months you should be at the implementation stage of that second factor this will remove an attacker's ability to compromise access with only the tag information that could be scraped you know so i'd like to take a few seconds here just to talk about some of the mitigation strategies around both rfid and nfc for rfid look into switches switches require both the tag as well as a code to be entered into a keypad essentially multi-factor your rfid transit transactions locking passwords a lock password is a 32-bit password which gets transmitted

before a tag will transmit its data this will take care of any type of skimmers and it's a simple and popular way to protect passive uhf systems which often have limited computational abilities look into basic access controls the reader must apply a specific key before the tag will reveal any personal information that'll block potential skimming this method is commonly applied to protect the sensitive data stored in passports from being read by outsiders and finally mutual authentication in this process the sensor will send a line of code to the tag which will decipher it using the key which is known to both entities if the tag is successful it can then sign a line of code back to be deciphered by the reader

once both the tag and the reader are certain that neither is an imposter then they can transmit their data this method prevents anyone from stealing the data through skimming because no other reader would know what that key is and eavesdropping because the key itself is never actually sent between the reader and the tag nfc the most important advice around nfc that i can give you if you're not using it turn it off stay on top of your patch management manufacturers update firmware all the time be vigilant in staying current educate your employees about the fact that nfc is a not a secure protocol at its core and finally utilize blocking shields for tags when they're not in use

you know to that point i have chips all inside my hands the only way that i can protect myself is i actually wound up going out and actually having faraday cloth gloves made so that i can even turn my own hands off so with that i've got about 10 7 to 10 minutes for some q a so how can i help you guys any questions uh anything you guys want to talk do you think human or animals can be used as bio attack threats for terrorism or human robot yes actually i do you know keep in mind like i said the chips themselves are in a static to put excuse me

all of the implant chips that are available on the market now are in a passive state information is written to the chips and then in order to actually get anything back from those chips you'll have to be within range of a reader in order to be able to do it um i can see where you could definitely do this within the within humans um depending on what type of reader system that you're looking at i can see where the idea of using animals as a courier for the chips yeah i definitely could see it the only issue you would need to know is how close that chip could get to an actual reader to be able to scan

um let's see uh where do we get further info do you have links to any of your reference materials um no actually there there's no cert for this and if you want to know the truth i'm probably i know of about five or six different red teamers that have similar capabilities as me but i believe i'm one of the first people to actually come out in a security mindset and actually brought this out um uh pioneer that's one way to call it my wife calls me an idiot but you know i i just for me it was just a natural evolution you know i i'm tattooed from my head to my my feet i am into body modifications

brandings piercings suspensions so when i found out that you could actually start shoving microchips in your body i was definitely all for it um if you're interested uh there's you can definitely search for transhuman uh one in my opinion one of the best places for information get involved in the forums over at dangerous things uh you don't need an implant to join um but the grinder community there is just probably in my opinion one of the one of the best you know there's discussions around implants rejections um protecting your your implants from being written by somebody that you don't want and lo and closing them out uh general questions the only thing that i would say if

you're going to join the forums go in with an open mind uh i will say that if you decide to go in and be a troll it will not end well for you you know we're used to being picked on and we will the you know we'll they'll give it back what happens when you need an mri uh yeah that the mri is a major concern i do have it within my medical files here within you know the united states where i am to have no mris i'm actually going to be going and getting some tattoos right up here above my wrists and i'm also that say no mri and i'm actually even considering getting a

medical or brace necklace that states no mri uh other limitations going through customs and airplanes and airports and airplane security is uh it's i wouldn't call it so much a limitation but i will say that it's definitely heavy question time and it's very difficult to convince some people that i'm i'm not some kind of terrorist but usually going google me and you know the fact that i spoke at rsa it's tense it it's very very tense for a little while um on a daily basis uh honestly right if i'm not actually using my my my chips for an engagement or a presentation i leave them in an unloaded state um i live on a 15 acre ranch out in the

middle of nowhere so from my day to day it's not that big of a deal but um yeah i can let me show it uh these are actually my my protection gloves and you can see right here um i've actually have this faraday cloth actually sewn inside all the gloves if i'm going out in public and especially if i'm going to some type of uh conference such as uh def con sec tour gurkhan you'll find me wearing gloves all the time uh i have about two minutes to go is there any other questions uh okay if that oh what uh what about a heart pacemaker well the truth is the when it comes to kill wear i am

completely against killware completely against it uh older pacemaker technology was straight up rfid it's not as prevalent now they've moved over to bluetooth utilizing java cards and other safety precautions in in new next generation cardiac pacemakers stem transmitters um insulin pumps i do think that the the medical industry is going to have to really start stepping up their game more um for example i i know somebody very well who is type 1 diabetic insulin pump uh we did a quick black box pen test against it and it was able to it had a default bluetooth setting so you know the idea of kill wear i find absolutely disgusting you know but at the end of the day i am

of a much different school i'm i'm i'm an old school you know detroiter i don't believe that it's anybody's job to protect me but me to that point if you have an implant be very very cautious if you have an old implant look into getting something that's you know a next generation that's going to not be vulnerable to those attacks it i'll close in regards to kill wear you cannot hack what isn't there i understand that you know we're dealing with people's health and surgery is a major concern but if you wouldn't allow it within your data center because you feel that you're data is that worth that that much to protect i would like to think that we feel that

our lives would be worth that much to protect um yeah i believe dick cheney did have a pacemaker and there are once again that was one of the older models um do you think the stigma will decrease or increase as more population is getting taxed sadly uh i think that's actually one of the best questions so far today um there is a new implant that was recently released in europe it's called the wallet more and it allows you to link your debit card to a subdermal implant and pay with a tap to pay the same way you would do with uh the android wallet or apple pay i think this is going to be i think the the fact that we're going to

start seeing more people using this for the ability for uh commercial transactions i think that's going to start to normalize it a little bit more um i i think the more people see it and to be honest that's one of the reasons that i feel that this is a really great topic because it's going to get people talking you know just because i have implants doesn't mean that i'm going to always be doing something bad and you know i don't think somebody who uses an implant just to get into their garage should have people looking at them like they're anything less than another human being um big brother can control you no this that is not true in the least

the remember these implants are tied to specific frequencies and specific protocols additionally i have the ability to write the chip and then close the chip which means that they're it's no longer able to be read or written and as such there's no government agency or big brother that uh yeah yeah i agree full faraday suits are going to be a thing soon but no now i'm not going to say if you're uncareful with an unclosed tag that somebody couldn't sneak up write something to it and close it that is definitely possible and that is the reasons why i have my faraday gloves but the idea that a government or some authoritarian regime could come in and control you

these things are essentially nothing more than passing a single you know a line of code so until we have like a neural link and the chip activates something that forces your brain to do something you're still in control at all times uh it would be more of the tech savvy what kind of exploiting will happen when your average joe with no technology gets implants um that is the whole point behind why i'm doing these presentations this is here this isn't something that's coming five years down the road this is out now you know and if we don't know what we're looking for how do you how do you stop an attack that you don't know exists

you know not all of us are offensive not all of us are black hats but it's our job to protect our environments and our data centers and the reputations of our companies so i'm actually out of time today guys uh i invite everybody reach out to me over linkedin come check out my github and my youtube channels and uh if you guys like i said if you're interested and you want the blood and the gore and to see how to make a cyborg uh do a search uh for dc 44 uh 191 or just search eventbrite for len no i believe it's next wednesday this will be the how to make a cyborg presentation so with that i appreciate everybody uh

search for hacker 213 um i'll put all of my uh i'll put my information in the chat here in just a moment but i wanted to say thank you very much i appreciate everybody one last time there's my information for anybody who wants to grab a quick screen capture yes that qr code is safe qr jacking at an actual security event probably not the wisest thing if i ever want to be invited back but there is my youtube my twitter my github and my linkedin i hope everybody out there has an amazing weekend uh if you're gonna be in toronto at the end of the month i will be live in attendance for sector uh come come search me out i'll be

hanging out at the cyber art booth thank you guys very much for your time thank you for actually being here and i look forward to seeing everybody out in the real world once this pandemic's over take care and have a great one