BSidesSF 2022 - Biohacker: The Invisible Threat (Len Noe)

hello hello okay let me go all right everyone we're getting ready to start our next talk our speaker is lynn no buyer hacker the invisible threat thank you what's happening hello california if in case you couldn't figure it out i'm not from here um first thank you besides for letting me actually come out and present this and thank you guys for actually showing up to listen uh we're going to have some fun today and we're going to try and go from science fiction over to some science fact so start up my little clicker here a little bit of background on me uh my name as she said is leno pronounced no opposite of yes and if you ask my

parents i was named extremely appropriately i've heard no no pretty much my whole damn life um i currently am a uh technical evangelist and a white hat hacker for cyber software i've been with cyber arc for nine years i've been prof in i.t professionally for going on 27 years in roles ranging from programmer to systems architect but i've been kind of breaking into computers and making them do things that they weren't supposed to do all the way back into the commodore 64 days so if anybody wants to come out we can talk about some comma eight comma one after this is over man i love your mass by the way um i spent uh pretty much most of my

time in my youth as either what would be classified as a black hat or a gray hat uh i'm professionally trained but i've come across most of my my knowledge through practical application uh i'm actually pretty active on social media and i invite everybody get you know reach out over linkedin github check out some of my my toys and tools that i throw out there for everybody um yes that's a qr code yes this is a security conference no this is not going to take you anywhere bad this would be a very career limiting move if i decided to do that but i'm glad to see you all we're thinking so i wanted to start off today's talk by

asking you guys just a pretty simple question what does a cyborg look like you know when you hear the word cyborg what comes to your mind maybe terminator darth vader star wars star trek something like that you know i'm not sure what it's going to be in your head but i'm probably willing to bet that they have some similarities they're probably very robotic possibly a lot of chrome but the truth is that's not the case cyborgs are not only on the movie screens anymore you know they walk among you and you might actually even be friends with one of them and you just don't even know it these are actually my hands i am a biohacker in the truest sense of

the word i'm not only an augmented human with microchips in my hands but i'm also as i stated earlier i'm a white hat so i'm a hacker that has actually modified my body to take advantage of the available technology to turn myself into the attack vector you know i'm gonna go through uh what you see on the x-rays here and i'll give you a little bit of information about each one of the chips and i actually have some more implants since the time these x-ray rays were actually taken so we're going to go through and we'll start here with this one this is actually called a flex next this is a combination rfid and nfc chip

this one and the one right below it which is the next chip these are essentially the exact same chips uh i started with the standard next chip this is a biogas encapsulated microchip and we'll be going into a little bit of more explanation in terms of what the differences are between the bioglass and the flexible membrane implants in a couple of slides but the next chip as i said this was actually the very first implant that i ever got and this all of my implants were installed for the specific purposes of offensive security so once i got this one i was able to get it installed into my body i realized that it did not give me the range i need

in order to be able to hold a phone in its natural position you know the antenna on the actual next chip is very very small so and as such you almost have to be sitting right on top of the uh receiver in order for it to actually be able to read clearly the flex next is a larger version of this and actually gets me up to about an inch and a half to two inches worth of distance away from the reader in order to be able to actually energize the chip and be able to re send and receive data so this was the chip that actually allowed me that ergonomics of being able to actually

hold your cell phone or mobile device in my hand in a normal configuration and the signal will actually pass through the meat of my hand to the large implant i have on the top of this hand i have a flex m1 magic uh this is basically the a myfair classic with the 1k rewritable function this will allow me to emulate pretty much any number of older access cards from public transit to membership tokens to physical access for buildings believe it or not most of the hotels that i stay in are all us still using my fair classic or my fair ultra lights uh i also have what is called a vivo key spark 2. this is actually a cryptobionic chip

it's actually part of a multi-factor authentication uh routine that i've set up to be able to access my crypto wallet uh this one actually does have its own ecosystem and is actually something that's being pushed for multi-factor fido otp uh if you definitely something to look into they are currently working both within the united states and in japan okay since the time these x-rays were taken i have a quite a few additional implants i have a flex e m in my wrist right here underneath the nose of the the skull on this tattoo and that actually allows me the ability to emulate pretty much the rest of the popular physical access cards including procs one two and three

hid indala pyramid and just a ton more i also have a titan biomagnet in my left pinky this is not one of the gimmicky magnets it's not meant to be able to pick up a lot of heavy weight but what it does allow me the ability is it allows me to feel electromagnetic fields and electromagnetic currents i get asked all the time lin what does that do for you i do physical pen tests as well and i'd be willing to bet quite a bit of money that if we went out and take a look at any of y'all's warehouses pretty much most warehouse exterior doors are all using the same types of locking mechanisms everybody

uses magnetic maglocks maglocks require power for an electromagnet i can actually stand on the outside of your building and run my hands over your wall and i can actually find the line of electricity going to that magnet i'm not saying it will but it can open up the opportunities of different options for shimming uh power interruption it just allows me the ability to see what's going on inside the wall i currently have sitting at home right now i actually have a des fire v2 8k nfc chip as well as a new chip that's recently hit the market called the wallet more uh the wallet more is actually an implantable chip that allows me to do tap to pay the same way we can

do with android wallet and ipay or any of your nfc based credit cards uh so these are two implants that i'm just waiting for time to get into my body mod guy and we'll be adding those to my body and we'll just you know it's kind of like getting an upgrade you know on your car you know i want i just want some new functions man you know i'll be the new len 3.0 so as i said augmented humans are not science fiction we're here we're not going anywhere and as this technology continues to evolve so will we i've broken the today's talk down into three different parts we're going to do a yesterday today and tomorrow i'm not

going to spend a whole bunch of time on the history of the transhuman movement just a little bit to kind of give you an idea of where we kind of got our start and that the biohacker or transhuman is actually the point where science technology and humanity all meet and since we are sitting at a b-sides conference i've actually even had people ask me would i be the point where machine identity and human identity cross you know that's just one of those things to kind of put in the back of your head because technically i do have my human identity but i also have the ability to do machine identity things to think about so

the idea behind implanting technology inside the human bodies has actually been around since the 1950s the patent for the first cardiac pacemaker was actually submitted in 1952 and it was the size of a table radio with the advent of the transistor in the mid-1950s the ability to construct a fully implantable device was achieved in may of 1958 1964 gave us the first implantable technology that could take data from the body is feedback and make adjustments accordingly throughout the 70s and the 80s you know there was some stuff that happened but i mean it wasn't like major breakthroughs 1990 is when things really started to change for the transhuman or implant community from the creation of smart

devices smart prosthetics all the way up through to artificial intelligence which is pretty commonplace in today's society for biohackers and trans humans our history was forged by the medical profession to address deficiencies of the human body but from a reactive perspective and by that i mean that the issues were already there you know and additionally there were no options for any type of individual to enhance themselves through any type of elected surgery for the per or through any type of technology that was available so that brings us to today who are we as trans humans today people like myself are referred to by all kinds of different names biohacker grinder transhuman i was actually in sweden uh two weeks a couple

of weeks ago and i was told that i am what is known as a wetwork that was a new one on me first time i've heard it it's okay you know it doesn't matter what you want to call me you know regardless of the label you know i'm just another person in a very long line of people who shared the same concept of moving beyond the human form that we were born into actually the term transhuman was actually first coined by an englishman by the name of julian huxley back in 1957 you know and the movement that he created was fueled by multiple people looking to extend the capabilities of the human being itself so when we talk about implantable

technology where do we find it anybody want anybody want to give me a guess here come on close close if we can do it at radio shack that would be so awesome but the truth is it's the same place we find everything else close internet you know i got actually i'm going to check i don't know if i can get them on amazon or not but i wouldn't i wouldn't be surprised you know here in the united states if you this is something that you're interested in definitely hit me up when i'm done i'll be happy to go into more specifics uh i do not work for this company i'm just gonna get throw this

out there because it's usually one of the first questions i get where can you find these things uh i get all of my stuff from a distributor here in the u.s they're based out of seattle washington they're called dangerousthings.com yeah i know i thought they were it was an amazing name for an amazing company um in europe there's an additional company called k-sec they these guys are kind of the the two big ones in north and south america and in europe uh do your research this is kind of like the idea of getting a tattoo or a body piercing but a little bit more crazy so you know when we talk about the types of

implants available you know what are the use cases i get that question all the time so we have magnets and we have multiple types of magnets you have lifting magnets as well as biosensing magnets now you know everybody asked me at len are you afraid of you know what are you afraid of and are you you know you are you afraid that these things are going to move it's going to move to your heart you know some you know you're being tracked by the man no what i'm afraid of is other very very strong magnets you don't know pain until somebody throws an earth magnet at you and it snaps onto the magnet that's inside your finger and squeezing from

both inside and outside of your skin not pleasant my magnets like i said are not meant to lift things but if that's your thing rock on have flexible membrane implants as you can see the chip itself very small but we have a very large coil of copper wire this is the antenna this is why when i was originally showing you guys my x-rays the very first one was that bio glass encapsulated that's what this looks is so if you can take a look at this those little glass tubes are not much bigger than a grain of long grain rice the flexible membranes they're about two and a half to three inches long so you can

definitely see the difference in terms of antenna size which will also be proportionate to the amount of distance you're going to need to be from your reader in order to energize that tag and due to the fact that this is california and i know you guys are like a party town we also have leds you know so i mean if you guys want to go partying out at night you know and you can do the whole you know i am iron man you can have it blinking in your hand whatever you know i'm one of those guys that if you want to join my my club of crazy cyborgs i don't care what you put in your body

you know i i do have the ability if you guys would like hit me up offline i can we can go into the processes in order to install these and i do use the term install because it is kind of hardware going into the body but this is surgery this is scalpels this is dermal elevators this is sutures this is not necessarily a fool's errand you know when we talk about these devices and what they were originally intended for they were designed to make people's lives easier you know for anybody out there with a tesla model three there's actually a implant that you can actually get the valet key added to an implant put that in your

hand and you can just jump in your car and drive you know or maybe people have like a little fob to get into a gym or a shared garage you know like i said we have the wallet more now so we can actually do contactless payment the same way that you can with credit cards or even your mobile device and every single one of these would actually constitute a legitimate use case for these types of devices unfortunately just like in the real world not all of us are friendly you know as security professionals we need to start looking beyond what we're comfortable with you know beyond the normal attacks that we've been dealing with for years

you know the attacks in the end game may not have changed but the delivery method is literally coming right off the movie screen in into our companies you know as security admins we know the normal attack vectors but how do you address the fact that any one of your employees could potentially have a full linux system beneath their skin what if somebody implanted you know an hid or a prox access card if i've wind up in a restricted location on prem you have zero indications of compromise in terms of how i got there and your dfir team is going to play hell you know chip implants use the exact same technologies that the enterprises are using rfid for door badges nfc for

iot my fair and hid proximity cards and that's just a couple of them with a number of regulations and audits that companies are required to do for your compliance how would you know if somebody had bypassed your security and brought a rogue asset into your environment the very simple answer is you would not this is called a peg leg this is a single board computer that's been modified to a minimalist form factor with a wireless charging receiver and then encased in some type of biopolymer and then implanted within the body typically in the on the front of the leg right below where the pockets are and the reason being is because you take an external battery pack that can do

rapid charging slip that into the pocket and it'll actually power up the device you know the possibilities for this are pretty much endless because at this point you have the ability to have a wi-fi hotspot you also can access this device over uh ssh and if you're crazy enough like me you've actually given enough thought to the point of actually cutting your leg open and actually adding quite a bit of copper wire to turning your entire leg into an antenna and yes i am working on this i'm actually in in talks with the owner of dangerous things and they're actually going to be encapsulating my devices for me i'm working with a kai-cad designer out

of the dha the dallas hackers association and we're basically building me a custom raspberry pi zero type device but with multiple bluetooth and multiple wi-fi so i can actually do wi-fi attacks and do evil twin attacks in areas where i'm not even allowed to bring in a cell phone so everybody here wants to see the attacks because that's where things really start getting fun so let's i'm going to start talking about the first attack i'm actually going to show you guys this one's actually around the issues of physical access and i'd be willing to bet everyone here somewhere on your on-prem you have some restricted location you know that's just kind of the part of doing business

you know and i'd be willing to bet that probably there are a large number of people that actually you guys got your badges on a lanyard or some kind of oh i'm seeing people moving all right let me show you why that's not necessarily a good thing so this is the first attack that i debuted this one's called handshake this is a clone and replay attack that utilizes a tool like a proxmart to read or scrape the data that's contained on a card or a fob then i'm going to just turn around and i'm going to write that information back down to the implant in my hand and then when i compromise your physical locations

you can search me you can call the police you're not going to find any tools you're not going to find a cloned card so i'm a very open guy i want you guys to see everything that's happening so i'm going to give it to you pretty simple so we're going to start off by opening the up the proxmart chameleon mini tool yes that's my was my id and yes i look like every hacker clip art you've ever seen so the first thing we do is we actually import the new uid for my badge and we're going to go ahead and pull that up and i'm going to go ahead and just rename this one to lens id and before

anybody thinks you know about trying to steal this i've already actually already got another id but you get an a for effort so from here i need to be able to have a baseline so i'm going to scan the myfair classic card in my my hand we'll get pull in a new uid pull it up on screen and we're just going to go ahead and we're going to rename that one to lens id or i'm sorry implant so now we have our second piece of information now at this point i like to show just in case i'm part of a larger collective we can actually share this information and amongst the rest of the people in my

hacking group throw it up on google drive your data is now able to be used by anybody but just for the fun of it i'm gonna actually open up a different tool this one's called the myfair classic tool and i'm gonna import both of those dumps and we're gonna run a diff against them so we import the first file pull it down and we're gonna grab the second file import it in [Music] and now we're going to go ahead and we're going to just pull up the diff we're going to select the implant and we're going to select my id the only thing that's different is sector zero line a so at this point all i really need to do

is just write the information back down so i select my id i can even do this with the cell phone rewrite it write all tags write all sectors data successfully written so now what we're going to do is go back into the proxmox chameleon mini and we're gonna scan my implant one more time so we go ahead and do that move over to channel three here's my hand again here's the here's my implant read the implant import the uid we're gonna name this one implant two and if you take a look up there at the top you'll notice that the last four digits of sector zero line eight should be six eight six nine so there's my implant and here's the id

they're the same so at this point now i can actually walk right up to your badge reader scan my hand and if you have a single point of failure without any type of shield or our back or pin i'm now inside your your secured locations and you have no idea how i got there so the next two attacks that i'm going to be showing are going to both be utilizing the nfc or the near field communication protocol if you're not familiar with nfc most people have it sitting in their pockets right now most cell phones have the it built in standard use for nfc could be anything from beaming a file or using an app to

transmit a signal to a receiver to allow some type of action to take place and the implant that i'll be using for the next two attacks is going to be that flex next which is the large implant that's in the top of my right hand so the first attack i'm going to show you is leprosy yeah hey it's my attack i get to name it you know this attack does require a little bit of social engineering and nfc must be enabled uh aside from that this one is really really not that hard so essentially what i'm gonna do is i'm going to create a situation where as you can probably guess like i said originally i'm not from california

so if i started getting up here and started throwing some major fit about the fact that my phone's dead and i was in the middle of a conversation with my wife and there was something going on with one of my grandchildren you know and i was making some kind of a big fit i guarantee you somebody here even though we're at a security conference they would be there to help me out and the truth is all i need to do is get my hands on the device and what i'm going to do is i'm going to use the chip that's in my hand i'm going to program that chip to point to a location out on the web where i will

have an apk that i created with mfs venom as part of the metasploit framework well it looks like i'm trying to actually make a phone call what i'm doing is actually installing this so i'm actually going to act this out for you again i like to be very up front so on the top of the screen what you see is an a ngrok session for some obfuscation and we're going to start the metasploit console down in the secondary lower frame so we open up metasploit load in a resource file just to make things a little bit quick execute that start the listener okay here we go we're going to do this in real time for

you oh my god something happened you know can somebody help me out here thank you thank you just all right what's my wife's phone number uh 734 uh god who actually uses phone numbers anymore i mean that's just i usually just pick it up in my contacts okay gotta remember seven three four six one two no that's my phone number what is my wife's number good lord something happened to my three-year-old granddaughter i don't know what the hell i'd do if that might happen to her uh seven three four i can't remember man i really appreciate it i'm just gonna have to go put you know plug my phone in we're already done just like that there's my reverse tcp

shell we can pull sysinfo i can dump your sms calls i can dump your call list i can even pop a shell and actually traverse your actual device at this point and with this attack also allows me the ability for advanced persistence so if we we can actually not just do a quick ls and you'll see that i'm actually in the storage device of that actual android so this is the last use case that we're going to be discussing today um this one i lovingly named flesh hook i know it's beautiful this one is a little bit more dangerous than leprosy is because this one we're actually going to take into configuration the beef suite everybody here familiar

with beef okay if you're not familiar with beef this is b-sides go look into it beef in is one of the most in my opinion underrated tools that you know we have when it comes for you know popping web clients so beef is the browser exploit extension framework this is the website where if you actually log into the website it will actually launch a javascript hook the browser and allow me interaction on that device up to and including on device spearfishing so what makes this one a little bit more dangerous than leprosy is the fact that i don't actually have to install anything on your device all i have to do is just get it to

actually interact with the chip and redirect you to the actual infected website considering the fact that i spend a lot of my time around developers and a lot of technical people uh for my the purposes of my demonstration i actually used the created a copy of the putty website and all i have to do is get your browser to go to that website so once again requires a little bit of social engineering but as you can see in that last demonstration i'm a pretty good actor so it'll actually take us longer to actually pull up the beef suite than it will to actually compromise the device so once we go ahead and get this up

we'll go ahead and log into the web ui from the beef control panel here and we are ready to actually go ahead and start trying to hook browsers again not that hard you know i can make a fake google page all i need to do is to get it to pop up on that device and again i'm triggering it through the nfc use of my implants pulls up putty and that's really all that's required back in beef i hooked a new browser it's an android device now we can actually do things like geo-locate the device utilizing modules i also have an entire suite of additional tools that i can actually utilize so like i said let's go ahead and do a get

geo location gives us a list of different apis that we can actually choose from and we'll go ahead and run this and you'll see very very quickly that it's going to actually return the fact that i am in texas yep city of pflugerville it's where i was when i actually recorded this video we can also get information on types of internet con connect internet connectivity we can launch on-device spear phishing attacks we can even dns enumerate the whatever network this device is actually connected to so this brings us to the future part of this chat who will we become as technology continues to evolve you know when we talk about the future of you know biomedical and implant

technology in general it's almost like we're trying to write a brand new science fiction movie you know you have companies like tesla that are working on technology like the neural ink you know a brain implant that actually allows interfacing between the brain directly to a terminal you know to me this is just sounds like a man-in-the-middle situation that's just waiting to happen tesla actually released some new data recently in terms of their trials and they i want to say it was they implanted the chip in 13 monkeys and they had an issue with seven out of them it's not really to the point where i think i'm ready to let somebody put one in my head

but what you don't hear a lot about is neurolink's biggest competitor actually is doing amazing work and are actually have moved into human trials where they're actually attaching microchips to spinal columns and restoring motility to paralyzed people and they've already it's already proven they've done it we also have different things that are coming out we have the ability to have smart contact lenses you know where they're actually looking at powering contact lenses with technology that would allow for facial recognition personally i'm a big fan of eff out there don't like the idea but i think the technology is pretty damn cool what about things like the will it if you haven't heard of this this is

actually a bluetooth transmitter and receiver that requires no internal batteries and actually gets its power from the air you know or what about wi-fi implantable wi-fi transmitters and receivers you know there's a product out there currently under development called the neuro grain and it's the hopes of this manufacturer to actually turn human beings into the world's largest wi-fi mesh network and we've nev none of us have ever hacked our neighbor's wifi right i'm just saying it'll give hacking the neighbors wi-fi a whole new meeting if you're actually hacking a receiver in this person's body you know and these are just currently what we know about you know the biggest restriction to advanced technology implants is

one thing and one thing only it's power there's no current effective way to provide clean power to any devices on a commercial implant you know this is the same issue with the peg leg and why there's was the need for the indirect power receiver you know it's not always the computer or the technology that needs to catch up you know in this case the only thing that's holding back progress is power you know and once that's been addressed the possibility of a 24x7 access to an embedded system inside the human body is not a far stretch and with the advents that we're seeing now with graphene batteries there's also an amazing new biomedical breakthroughs where they're actually able to power

generate power from the body's thermal dynamics and heat so we're not too far off from seeing much much new advancements in this scope you know whenever i get into these conversations i do want to take a quick minute just to talk about legality morality and ethical issues around implantable technologies from a legal perspective there is absolutely no federal laws regarding microchip implants here within the u.s at the state level as you can see from the graphic here there are multiple states that have adopted different types of legislation there's pretty much fall into one of two categories you know one is basically a ban on employers mandating that their employees get microchipped and yes this is something that did come

up they were looking at this as a way for time and attendance as well as uh uh interfacing to the the equipment within the warehouse and login log off identification but you know i'd love to say that this is the u.s and we don't force people to get shots and things put in their body but we all went through covid and i'm not going to go down that political rabbit hole the other typical legislation that we have seen is just a general ban on microchip implants period you know so let's take a minute and talk about liability from an employer's perspective if an employee gets chipped does that in and of itself make that employee a

security risk what if they're just using the chip to access a gym or they're using it so that they can drive their tesla is that something that a ciso or a cio would feel that they should be in informed about you know we allow our you know employees to bring personal cell phones to work with the exclusion of restricted areas but detection of these types of devices is very easy to see you know when it comes to implants from a security perspective you know this may help from a i forgot to bring my badge to work today kind of a perspective but it does not necessarily increase this the posture of the security scope for

that organization you know if you're sitting on decide to go out drinking on friday night you can leave your work badge at home once you put these chips in you they're on all the time you know people have actually asked me what do i do to make sure that i'm protected i actually had to go out and have faraday gloves created so that i could actually take myself to defcon black cat and i can go around people that may try to you know abuse my technology before you ask no they could not do anything that could physically cause me pain harm or anything like that but what they could do is actually close out the

tags to the point where i could no longer write new data to them and use them at which point i would actually have to have them removed and replaced um i've had you have no idea the amount of you know questions i've had been asked since i decided to go down this road um some of my favorites are uh is the big lump in your hand did you get that after you got your covet vaccine yes uh is this the same chip that's in my my dog or my cat possibly i mean it's basically one of two styles it's either an nfc chip or an rfid chip so technically the answer is yes um the one that i love is i've actually

been targeted by some alt some extreme religious groups this is the one that i'm currently dealing with right now i am now a target for the religious extremes and apparently i have the mark of the beast news to me didn't know i always thought i was a pretty nice guy you know but i've had people that i have known my entire life you know if i walk into a room they'll shut their phones off they'll turn take the batteries out of their phones i have been received with everything from skepticism to downright fear it's my hope that you know as i did say earlier on in the presentation unfortunately not all of us are friendly but most of us are

you know finally how far is too far you know we've briefly touched on the neural link and the peg leg you know these are two very different products with broad sweeping ramifications to the individual as well as employers and law enforcement you know i'm going to carbon date myself here but i remember a movie from back in 1995 called johnny mnemonic you know where the lead actor had a hard drive in his head and was using it as a storage device and he was transporting you know stolen data or you know what about the matrix where if we want to learn something we just basically load the skill set and we have it you know the genie is out of the bottle

and there is absolutely no way that it's going to go back in and as technology continues to advance and improve the quality of life we need to remember that any tool regardless of what its original intent was can be misused and as security professionals we need to be aware of this and adapt our counter measures to include these new types of attack vectors and the fact that there's nothing unilateral across the board will mean that most locations this is going to become a corporate decision on how to address augmented humans and without a better understanding of the technologies being discussed these choices may be made for the wrong reasons to say anyone with an implanted

technology is an automatic threat would be saying that any car owner could be a vehicular homicide suspect somewhere in the future so the fact is there's no real way to detect this type of technology currently so the only thing that we can do as security administrators and professionals is we need to basically just keep on that layered approach and don't allow single points of access or single points of compromise if you're using just a standard one read badge to get into a restricted location you wouldn't do that with your data we multi-factor everything there are multiple different options that we can do from a pin to our back to shields there's other options and as far as when it comes to

compromising your mobile devices the best advice i can give you is if you're not using nfc turn it off it is an insecure protocol at its core and as such trying to correct a physical limitation of a protocol with application security is never going to be a hundred percent so with that i would like to open the floor to any type of questions seriously a nun okay come on i was gonna say this is the weirdest thing you guys have heard all day and there were no questions

about any other sorry i was just wondering if you had any any consequences especially physically like i don't know for i'm thinking if you have to go get like your brain scanned i know you cannot have implants things like that at airports when you cross things like that um the simple answer is mris are no longer something i can do uh if i go into an mri it will rip them right out of my body i actually have it on all of my emergency forms i'm actually going in a couple of weeks and getting it tattooed no mri across both of my hands um in terms of fit my personal you know issues i did have one bit of an

issue when i had the big one put in the top of my hand excuse me it was my own damn fault just like any other surgery you know my body mod guy told me he's like you know get on anti-inflammatories prior to going in i didn't do it you know i waited and i wound up getting a hematoma on the top of my hand it looked like i had about a half a softball in there for about two weeks i went to my actual doctor and they wanted to schedule me for emergency removal surgery and it was like i just paid a lot of money to put that in there can i just get some motrin

uh so yeah they doctors don't know what the hell to make of me um that was probably the worst thing that's happened to me from like a personal health perspective but you know i i like i said i got two two more sitting at home and i'm as soon as i get home from this trip i'll be adding those to the the the body and getting new functionality welcome okay

uh have you had any issues with implants that are now outdated or you that you've had removed and replaced or upgraded and i'm specifically thinking about the wallet one that you mentioned and the technology that's in that okay good question um i haven't been lucky enough that where i have not had any of my chips go bad uh the nice thing about the chips is we're dealing with basically technology and protocols so they really don't change uh there is some issues with the wallet more and it's actually something that's actually been brought up a lot in some of the reddit conversations and there was actually something posted i want to say it was two or three days

ago by the wallet more staff the anyone who gets one of these implants there is a limitation on the amount of time that they'll be valid for it's just like a credit card um due to the fact that you know the initial uh chips that were released actually had a little bit lower amount of time than they wanted all us uh they call us ambassadors because we all know that the word guinea pig is not a really good thing to say but i mean we all know what we are so there they'll be actually giving us a replacement before the end of 2023 that will actually keep us i want to say it's for an additional four years past that

at that point you know it's going to be either a get it replaced or we'll have to see where the technology goes between now and then hey great talk um questions things that are considerations for like tsa or custom when you're going in and out of the country or a new doctor medical procedures er i mean lots of potential issues so go from there uh believe it or not i do fly internationally i was actually just in sweden about two and a half weeks ago uh there is not enough metal within all of my implants to trigger any type of aviation magnetometer uh also i've been through the full body scan x-ray things and they don't find them

i mean when you look at the one that i would expect them to find would actually be the magnet because it's actually an iron corer with a titan wrapped in titanium that one is the biggest amount of metal but even through all the rest of them they may be very large but at the same time most of it is uh bio biomass material or biopolymer so there's really not a lot of metal the circuitry is actually going to be silicone so the amount of actual metal is not that much which i'm really kind of nervous because i'm actually going to be giving a bit of a varied version of this talk to interpol here in a couple of months

i might not have the same ability to go in and out of airports and customs as easily afterwards but you know you go where you go where the the boss tells you to go have you ever had the feeling that your telephone was vibrating wasn't in the same room as you yes how do you feel about that vibratey i meant more at a deeper level but bad all right really really bad although the one thing that actually in terms of feeling stuff the one that actually is the worst for me is my wife's can opener she's got one of those you know nice big heavy duty can openers and i can be in all i have to be is in

the general vicinity and she opens a can and i can actually feel it in that magnet even if i'm three to five feet away so

i mean i'm telling you she's just running you over here so uh in future as you as this technology evolves and companies and governments start to start noticing it how do you see the impact on insurance and how do insurance companies will take this from a body mod perspective to be honest it's something i've actually given a lot of thought to um the fact that we're seeing as much espionage i'm surprised let me rephrase i would not be surprised if the governments were not doing using some type of this technology for nation-state activities uh i do know for a fact that i'm not the only guy here in the states that are doing this i know a couple of actual red

teamers who i'm not going to call them out it's not my place but i know that this type of process has been used as an initial foothold during red team engagements to gain that initial foothold on a mobile device then lateral through the mobile device back into the enterprise through enterprise based application and vpn

this is all very cool wouldn't it be just as easy to put it in jewelry yeah but here's the difference the main thing and the first thing i said when i decided to go do this research is i'm not doing anything that necessarily hasn't been done i'm just doing it with in a way that there are zero iocs i mean realistically if i have if you catch me and i've got like a gaudy bracelet or i mean i've i started off honestly using like the nfc rings and different rfid jewelry and it was it was good but at the same time if i got caught there would be some type of indication of how i got in there

what i'm doing now is in my opinion the ultimate you know sneaking under the radar because even if you caught me in your data center all i have to do is say door was open okay well we i can't you can't search me because you're not an authority but even if you called the police they could come over empty my pockets they could you know there's no way for you to prove how i got in there and from an obfuscation perspective that's what these new attack vectors really you know have going for them is the fact that nobody knows that they exist so how do you prevent somebody like me if you don't even know somebody like me

is real thanks no problem

you're getting your steps in today man yeah

so you get caught in somewhere where you're not supposed to be and right now they don't know they wouldn't think of scanning you but what about when it starts becoming better known and they bring out the wands and start going up and down and looking well if what do you what's the sensitivity i mean if it's the same as a magnetometer in an airport you're not going to find nothing on top of the fact that here in the united states we have something called hipaa which anything that's inside my body you're not legally allowed to ask me about anyway didn't even scan for you can scan but all i got to do is say it's medical

i've tied you i've tied your hands

hey you know just remember bureaucracy and regulations can work both ways uh hi are you currently talking about state of things here in u.s because i would like to understand what's going on say in china from the same like basically in the same state of what's the state of art there uh the state is the same everywhere i actually just got done having a discussion with uh one of the japanese newspapers you know as far as i'm aware i'm the first guy that's actually come out and you know shown this as a viable attack methodology i'm not going to say i'm the guy that invented it i'm just the one that's bringing it forward but to the best of my knowledge these

particular vectors have not been used in the wild for an actual breach but like i said they have been used in red team exercises so uh i know that they work

well and that there's no more questions i just want to say thank you guys very much for coming in and listening to you know the crazy guy talk uh hit me up on linkedin or whatnot appreciate your time guys