06-08-2020 | | By Robin Mitchell
The use of microchip implants in the human body has many excited with the possibility to remove the need to carry cash, a card, or ever ID. However, those that wish to use an implanted device should think twice before getting the procedure done for reasons that will be discussed here.
Microchip implants are RFID microchips connected to a small coil antenna which is all housed in a special biologically inert glass capsule. The device can carry all kinds of metadata, including unique IDs, names, date of birth, medical information, and permissions for a facility. Implanted devices cannot use battery power as they cannot be physically accessed once implanted; thus changing a battery is impossible. Instead, such devices utilise NFC technology whereby an external reader provides the energy needed to operate the device wirelessly. This also has the added advantage that the implant is mostly a passive device; under normal conditions, the device emits no radio waves of any kind.
As these devices utilise NFC technology, they can be used in place of any NFC technology currently deployed. One example of how implants can be used is as an ID card; the implant can be used to open doors that the user is allowed to use, while security can use the implant to verify the identity of the user. Implants can also be used in place of contactless cards for small payments such as vending machines, fast food, and shopping. The use of an implant for monetary use provides users with the convenience of never losing their ability to pay for items; of course, this only applies for sellers that offer NFC payments.
Using implanted microchips has a multitude of issues that relate to either privacy or safety. One major disadvantage of NFC-type devices is their ease of access, meaning that most NFC readers can provide power to an RFID system, and read data from the device. An unencrypted device would allow nearby attackers (who do not require physical contact), to obtain information stored on the device. Thus, if the information related to medical conditions and personal identity, then it would be straightforward for an attacker to clone the device.
This issue with insecure data can be easily fought against using encrypted data so that only authorised readers can obtain data. However, this brings in more issues that could arguably be worse than allowing an attacker to steal data wirelessly. The first issue arises from the fact that if authorised readers can only read an implant, then its ability to interact with many systems is severely diminished (i.e. defeating the purpose of having a wireless ID system to make life more convenient). If this is not an issue, probably because the implanted device is being used for security reasons in a research facility or sensitive area, then the user is put in significant danger from attackers. Such devices are generally incapable of detecting if the device is present in the correct host, or if the host is alive, meaning that a determined attacker may take the implant by force. If lucky, the user may have a small incision made where the implant is located, but if not so, a limb may be removed as this is significantly quicker. The same principle applies to most biosecurity systems, including retina and fingerprint scanners. If the integrity of the biological part being scanned is not checked, then an attacker can take said parts by force. Fortunately, such an incident has not happened yet with implanted microchips due to their low usage, but this has happened to animals include a dog whose microchip was forcibly removed for the sake of stealing puppies. Removal of the ID enables attackers to deny theft (as the ID of the animal cannot be verified). Thus the use of the microchip caused unnecessary harm.
The use of implants also carries privacy concerns with employees; some companies around the world are starting to experiment with implanting devices into their employees. It is feared that a company can use RFID devices to track their employees and monitor their behaviour. While this does provide advantages with regards to security, it can also be considered to be a gross violation of individual privacy and freedom. Those implanted devices cannot be turned off; thus, employees continue to have potentially exploitable devices on their persons even when away from work. Such concerns have even caused one state in the US to bring in a ban preventing companies from forcing RFIDs on their employees.
Implanted devices also carry the risk of being reprogrammed by attackers to perform entirely different tasks than to what they were designed for. For example, if an RFID allows for reprogramming, then an attacker could, in theory, use the RFID device to run malware when in close contact with an RFID reader. Such a routine could provide passwords, keys, and other sensitive information regarding itself or the system that it works with. To make matters worse, reprogramming is done wirelessly, meaning that a simple shake of the hand could be enough for an attacker to gain entry, upload the new code, and then verify.
This is a hard question to answer and depends on the risk level associated with implanted devices. RFIDs could be highly beneficial for those (such as yours truly), who struggle with remembering to bring payment cards or other necessary forms of ID. The use of implanted devices could also make it simpler to make payments and even provide medical staff with important medical information regarding allergies. However, the risks that implanted device pose, including the lack of privacy, and the possibility than an attacker will forcibly remove the device, is daunting, to say the least. It is very easy to say that “designers can simply find a way to make implants unhackable”, but the truth is that since these devices need to be able to communicate to readers, then by nature they cannot be unhackable. Personally, the thought of a giant needle being inserted into the had to insert an RFID device that will do the same job as a contactless debit card is not worth the novelty.