The man who hacks phones with an implant under his skin
ThinkstockIf you hand Seth Wahle your phone, he could steal your photos, passwords and more simply by holding it. Rose Eveleth finds out how he does it.
Seth Wahle is one of a growing number of people who has a chip implanted into his body. Wahle, a former petty officer in the US Navy and now an engineer at a company called APA Wireless, is a biohacker, someone who likes toying with the limits of the human body.
Now, Wahle is using that chip to offer an intriguing insight into the future of cybersecurity. Using the chip embedded in his hand, Wahle and his collaborator Rod Soto have shown he can hack into someone’s phone simply by touching it. The duo are due to show off at a hacker conference in Miami on 16 May.
They’re not doing it for malevolent reasons, rather to demonstrate a hidden way our phones and computers could one day be hacked without us realising.
It all began with a serendipitous conversation in a pizza parlour with Soto, a security researcher and the organiser of an event called Hackmiami in Florida. “Seth was there, eating pizza,” Soto says (Wahle clarifies that he was also doing homework), “and I was like ‘hey, you look like someone who likes computers.’ And I find out the guy has a chip in his hand!” Wahle’s implant is an RFID chip, a tiny device that can hold small amounts of data and communicate with devices nearby.
ThinkstockSoto, who works mostly on software and hardware hacking, was intrigued, and pushed Wahle to give a presentation at a Hackmiami event in 2014. Eventually Wahle gave a talk about one particular idea he had for using his chip as a gun safety mechanism – the gun would only fire when in his hand.
“After that presentation we did some brainstorming and we thought, what if we could exploit something using the implanted chip,” Soto says. So they decided to see if they could push a malicious piece of software onto someone’s phone simply by putting that phone in Wahle’s hand.
From there, it was easy. Almost too easy. “It was kind of surprising that it worked as well as it did,” Wahle admits. It took the two of them just a few months to get the whole thing designed. And it worked on the first try. “Generally these things don't work quite as well the first try,” Wahle says.
The hack works like this: Wahle’s RFID chip includes a Near Field Communications (NFC) antenna that generates a radio frequency that can talk to devices that are NFC enabled, like a cellphone. So when a phone is in his hand, his chip sends a signal to the device, and a pop-up appears asking the phone’s user to open a link. If that user taps yes, the link installs a malicious file, which connects the phone to a remote server that can be accessed by someone elsewhere. “Once I get that call back, that phone is mine, that’s pretty much it,” Soto says. In a matter of minutes, with the phone in Wahle’s hand and Soto at the helm of a computer, they were able to download a file off the compromised device.
In the demo, the malicious link isn’t very well disguised – the link that pops up would probably make any user a little suspicious. But Wahle and Soto point out that with a little more work they could make that popup look like just about anything – a system update, a Candy Crush notification. And, there’s not much keeping them from simply bypassing that step altogether, and pushing the malicious software onto the phone directly, without a link to click.
ThinkstockIt was really only a matter of time before the biohacking community and the software and hardware hacking community linked up. But in Miami at least, Soto and Wahle says that relationship is still new. At Hackmiami 2015, there will only be a handful of biohackers among the hundreds of hardware and software experts. “There are definitely two different worlds,” Wahle says. And in his experience, those worlds have different cultures and ideas, Wahle says. “Biohackers come up with ridiculously off-the-wall things and honestly they rarely get anything done, because the majority of them don’t have the technical aptitude to pull it off, and the majority of their suggestions are wildly dangerous. On the other hand the hacker community, there’s a lot of really talented people that are quite honestly some of the smartest people I’ve ever met that could pull off some crazy amazing things.”
The pair’s experiment may just be the beginning of hacking using body implants. Phones aren’t the only things that use NFC to talk to one another. It’s a key part of credit card payment systems, mobile payments like Apple Pay and Google Wallet, keycards, and even medical devices. Hacking NFC communications with a chip that simply requires being near someone’s device, or wallet, or door, or blood pressure monitor, could open the doors to all kinds of malicious actors.
True risk?
The chances that you’ll run into someone with an RFID chip in their hand today are still somewhat slim. Implanting devices into your body isn’t something to do on a whim, and biohackers aren’t everywhere you turn just yet. Wahle says he spent a lot of time researching the different types of RFID tags out there, testing them, and making sure he was avoiding chips with lead or other chemicals in them. He then paid an amateur tattoo artist to inject the chip into his hand, in the space between the thumb and forefinger. “Yeah it hurt a lot. In that moment it was excruciatingly painful for a very brief amount of time, and as soon as the needle was pulled out it was not painful anymore.”
ThinkstockFor the demonstration, Soto and Wahle didn’t break any laws. They used Wahle’s phone, and he knew full well what was going to happen. But should someone use a hack like this on an unsuspecting victim, then things get more complicated, says Andrea Matwyshyn, a legal scholar and professor at the Center for Information Technology Policy at Princeton. In the United States, she says, the most relevant law is the Computer Fraud and Abuse Act. “The approach the statute takes is the notion of exceeding authorised access. Did the person who accessed this system have consent of the owner of this system to access the information?” If not, she says, then the law was broken.
For Soto and Wahle this is less about stealing images off people’s phones, and more about exposing vulnerabilities in devices that people use every day. “The message that I want to portray is not, ‘Hey, I can stuff an NFC chip into my hand and take over an Android phone’,” says Wahle, who is also now working on a startup cyber security company called Caveo Security. “The message is that I’ve done this with one technology and as technology progresses this can be done for everything. The whole idea of what we do is to break something to show somebody it can be broken.”
Soto agrees. “The main reason why you want to expose things like this, is that when you expose a malware kit, a crime kit, a modus operandi, it’s usually burned. Which means that the victims become aware of it, and now it doesn’t work, it’s preventable.”