Espionage and cyberwar activities are increasingly conducted remotely, via phishing, spyware, software supply chain attacks, malware attacks on electric grids and nuclear plants, and drones. But in the future, we can expect to see threat actors turn to technology that puts the attack power into their own hands — literally.
We’re entering the age of bio-hacking, also called body hacking or human augmentation, to distinguish it from other types of biological experimentation like DNA hacking. In the context of cybersecurity, bio-hacking enables the creation of new stealthy attack capabilities by using chip implants inside bodies and wireless technologies to conduct spying and cyberattacks that today are done over the internet.
This isn’t science-fiction or just another “Terminator” reference. Research into using bodies as spying devices and weapons is happening right now. I should know, because I’m a Walking Zero Day cyber exploit.
I’m a transhumanist, which means I am using technology to expand my capabilities beyond those I was born with. In this case, I’m hacking my body for security research, to see how easily I can conduct certain types of attacks using chips in my body and wireless technology instead of the internet.
I have implanted nine microchips and one magnet in my hand and fingers over the past five years. In numerous demonstrations, I’ve showcased the ability to wirelessly download malware onto an Android (Apple’s security protections block this attack). In another type of attack, I’ve proven I can skim a badge and then write the data directly to my implant in order to enter restricted areas. The chips in my hand communicate to the devices via Near Field Communication (NFC) or Radio Frequency Identification (RFID) wireless protocols. Military IDs, for example, have embedded chips that use RFID.
The implications for identity-based security in federal and defense areas of operation are significant. Government agencies should have this on their radar as they consider risks on the horizon. The threats are not theoretical.
Governments are already looking at defensive uses of bio-hacking or human augmentation technology; the UK version of DARPA is funding research into tech that could help combat mental and physical fatigue and enhance the senses, while Raytheon is developing exoskeletons for the U.S. Army. Advances in brain-to-computer technology is underway with Neuralink and Synchron, which is integrating AI chat with neural implants.
It’s only a matter of time before national security agencies start exploiting body augmentation for hacking purposes. There may already be soldiers with GPS locators inside their bodies to assist with evacuation purposes, or other internally powered devices in use by spy agencies. The possibilities of attacks are only limited by the availability of the technology.
For my day job, I analyze cyber threats and help enterprises understand the risks they face and protect against them. While we have the solutions to help defend against most cyber threats, defense against bio-hacking is uncharted territory. Addressing this attack vector won’t be a quick fix.
To start off, detection is tricky. Because the implanted chips are hidden inside of a body, they would be hard — if impossible — to detect before the damage is done. My implants are made of silicon, not metal, which means they are invisible to metal detecting wands and body scanners. I’ve been traveling for four and a half years now with implants and they have never been detected. There is no way to legally identify an augmented human without a full body X-ray, and the airport body scanners don’t show anything below the surface of the skin.
Even if the TSA suspected I had an implant, they couldn’t ask me about it. The implants are subdermal and therefore considered medical. And HIPAA protects the privacy of medical data. Security teams could look for anomalous activity via logs, but they wouldn’t be able to know what device was used to access the system.
Despite those challenges, and because of them, agencies should start following best practices that can help protect devices now. They should start by using mobile device management to force security restrictions that can block stealth downloads of malware, and create policies where NFC or RFID are disabled except when needed, such as for making a payment. Physical access systems should take advantage of multi-factor authentication, like eye or face scans, and not just rely on single-factor authentication RFID badges.
Then agencies could start looking for ways to identify augmented humans that are effective and also comply with health information privacy laws. This could include non-technical solutions, such as dogs that can sniff out thumb drives believed by law authorities to contain illegal files, as are being used in child exploitation investigations.
The most difficult part could end up being a mindset change. It can be hard to make the case for investing in security when the risks aren’t readily apparent. This is especially true for budget-minded government agencies and those overwhelmed with fending off the perpetual cyberattacks of today. Hopefully, with growing awareness of the possibility of stealth bio-hacking-based attacks, agencies will recognize the threats they pose and establish policies, practices and research to address them — before our adversaries do.
Len Noe is a biohacker and technical evangelist at CyberArk.
