If you hand Seth Wahle your phone, he could steal your
photos, passwords and more simply by holding it. Rose
Eveleth finds out how he does it.
Seth Wahle is one of a growing number of people who has a
chip implanted into his body. Wahle, a former petty officer in
the US Navy and now an engineer at a company called APA
Wireless, is a biohacker, someone who likes toying with the
limits of the human body.
Now, Wahle is using that chip to offer an intriguing insight
into the future of cybersecurity. Using the chip embedded in
his hand, Wahle and his collaborator Rod Soto have shown
he can hack into someone’s phone simply by touching it.
The duo are due to show off at a hacker conference in
Miami on 16 May.
They’re not doing it for malevolent reasons, rather to
demonstrate a hidden way our phones and computers could
one day be hacked without us realising.
It all began with a serendipitous conversation in a pizza
parlour with Soto, a security researcher and the organiser of
an event called Hackmiami in Florida. “Seth was there,
eating pizza,” Soto says (Wahle clarifies that he was also
doing homework), “and I was like ‘hey, you look like
someone who likes computers.’ And I find out the guy has a
chip in his hand!” Wahle’s implant is an RFID chip, a tiny
device that can hold small amounts of data and
communicate with devices nearby.
Soto, who works mostly on software and hardware hacking,
was intrigued, and pushed Wahle to give a presentation at a
Hackmiami event in 2014. Eventually Wahle gave a talk
about one particular idea he had for using his chip as a gun
safety mechanism – the gun would only fire when in his
hand.
“After that presentation we did some brainstorming and we
thought, what if we could exploit something using the
implanted chip,” Soto says. So they decided to see if they
could push a malicious piece of software onto someone’s
phone simply by putting that phone in Wahle’s hand.
From there, it was easy. Almost too easy. “It was kind of
surprising that it worked as well as it did,” Wahle admits. It
took the two of them just a few months to get the whole
thing designed. And it worked on the first try. “Generally
these things don't work quite as well the first try,” Wahle
says.
The hack works like this: Wahle’s RFID chip includes a Near
Field Communications (NFC) antenna that generates a radio
frequency that can talk to devices that are NFC enabled,
like a cellphone. So when a phone is in his hand, his chip
sends a signal to the device, and a pop-up appears asking
the phone’s user to open a link. If that user taps yes, the
link installs a malicious file, which connects the phone to a
remote server that can be accessed by someone elsewhere.
“Once I get that call back, that phone is mine, that’s pretty
much it,” Soto says. In a matter of minutes, with the phone
in Wahle’s hand and Soto at the helm of a computer, they
were able to download a file off the compromised device.
In the demo, the malicious link isn’t very well disguised –
the link that pops up would probably make any user a little
suspicious. But Wahle and Soto point out that with a little
more work they could make that popup look like just about
anything – a system update, a Candy Crush notification.
And, there’s not much keeping them from simply bypassing
that step altogether, and pushing the malicious software
onto the phone directly, without a link to click.
It was really only a matter of time before the biohacking
community and the software and hardware hacking
community linked up. But in Miami at least, Soto and Wahle
says that relationship is still new. At Hackmiami 2015, there
will only be a handful of biohackers among the hundreds of
hardware and software experts. “There are definitely two
different worlds,” Wahle says. And in his experience, those
worlds have different cultures and ideas, Wahle says.
“Biohackers come up with ridiculously off-the-wall things
and honestly they rarely get anything done, because the
majority of them don’t have the technical aptitude to pull it
off, and the majority of their suggestions are wildly
dangerous. On the other hand the hacker community,
there’s a lot of really talented people that are quite honestly
some of the smartest people I’ve ever met that could pull
off some crazy amazing things.”
The pair’s experiment may just be the beginning of hacking
using body implants. Phones aren’t the only things that use
NFC to talk to one another. It’s a key part of credit card
payment systems, mobile payments like Apple Pay and
Google Wallet, keycards, and even medical devices. Hacking
NFC communications with a chip that simply requires being
near someone’s device, or wallet, or door, or blood pressure
monitor, could open the doors to all kinds of malicious
actors.
True risk?
The chances that you’ll run into someone with an RFID chip
in their hand today are still somewhat slim. Implanting
devices into your body isn’t something to do on a whim, and
biohackers aren’t everywhere you turn just yet. Wahle says
he spent a lot of time researching the different types of
RFID tags out there, testing them, and making sure he was
avoiding chips with lead or other chemicals in them. He then
paid an amateur tattoo artist to inject the chip into his hand,
in the space between the thumb and forefinger. “Yeah it
hurt a lot. In that moment it was excruciatingly painful for a
very brief amount of time, and as soon as the needle was
pulled out it was not painful anymore.”
For the demonstration, Soto and Wahle didn’t break any
laws. They used Wahle’s phone, and he knew full well what
was going to happen. But should someone use a hack like
this on an unsuspecting victim, then things get more
complicated, says Andrea Matwyshyn, a legal scholar and
professor at the Center for Information Technology Policy at
Princeton. In the United States, she says, the most relevant
law is the Computer Fraud and Abuse Act. “The approach
the statute takes is the notion of exceeding authorised
access. Did the person who accessed this system have
consent of the owner of this system to access the
information?” If not, she says, then the law was broken.
For Soto and Wahle this is less about stealing images off
people’s phones, and more about exposing vulnerabilities in
devices that people use every day. “The message that I
want to portray is not, ‘Hey, I can stuff an NFC chip into my
hand and take over an Android phone’,” says Wahle, who is
also now working on a startup cyber security company
called Caveo Security. “The message is that I’ve done this
with one technology and as technology progresses this can
be done for everything. The whole idea of what we do is to
break something to show somebody it can be broken.”
Soto agrees. “The main reason why you want to expose
things like this, is that when you expose a malware kit, a
crime kit, a modus operandi, it’s usually burned. Which
means that the victims become aware of it, and now it
doesn’t work, it’s

In a nutshell pls

importexpert:
In a nutshell pls