Plenty of people these days are prepared to augment their bodies with face furniture, piercings, rings and tattoos.
But would you implant a chip in your hand to show how easy it is to exploit an Android phone?
That’s what former US navy petty officer Seth Wahle did, in an attempt to demonstrate how business networks could be compromised.
Wahle took an NFC chip, similar to the kind found in many of today’s smartphones, and injected it between the thumb and finger of his left hand. According to Forbes, the injection was something of an eye-watering experience.
But implants aren’t for the squeamish. Wahle says the needle was bigger than he’d expected when he had the chip implanted by an “unlicensed amateur” for $40, enough to make him want to vomit. He says he had to go through a backstreet operation due to Florida’s restrictive body modification laws.
Unfortunately for lovers of Hollywood techno-thrillers, the attack itself is fairly lame.
As the article in Forbes describes, for the exploit to be successful the victim has to click on a link sent to his Android device by the implanted NFC chip:
It has an NFC (Near Field Communications) antenna that pings Android phones, asking them to open a link. Once the user agrees to open that link and install a malicious file, their phone connects to a remote computer, the owner of which can carry out further exploits on that mobile device. Put simply, that Android device is compromised. In a demo for FORBES, Wahle used the Metasploit penetration testing software on his laptop to force an Android device to take a picture of his cheery visage.
My feeling is that the typical user would be suspicious of an unusual link popping up unexpectedly on their screen (just as the beardy hacker-type guy approaches) and not necessarily click on it.
If it were possible to use a little more social engineering in the link’s delivery – which, after all, is what would be possible if the attack was delivered via email without having to put the hacker at risk of physical proximity – then it would be more likely to succeed I would wager.
Nonetheless, with many Android devices suffering from a shockingly bad patching infrastructure there remains the potential for serious vulnerabilities to remain on a high proportion of devices, that could potentially be exploited in future attacks of this kind.
And, of course, it can just as easily be delivered by somebody clean-shaven wearing a suit as a guy with a hipster beard wearing a Metallica t-shirt.
It should be noted that Seth Wahle is not the first person to make a splash in the world of computer security after injecting a chip into their body.
During the late 1990s and early years of this century, Professor Kevin Warwick of Reading University was dubbed “Captain Cyborg” by some in the media for his attention-grabbing claims after he embedded NFC chips into his body to open doors, and at one point claimed (rather fancifully and inaccurately) to be the first human to be “infected with a computer virus”.
You have to also ask yourself in what limited scenarios would having an NFC chip embedded inside your body be preferable to, say, having it hidden in your watch or your the back pocket of your jeans.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.