BSidesNcl 2021 Biohacker: The Invisible Threat Len Noe

good morning hi good afternoon how's everybody doing my name is len noe and today i will be presenting to you the bio hackers the invisible threat so let me go ahead and get this up on the screen and get it shared out for y'all one second here okay give me one second i'm not a big zoom guy we got this all right here we go all right my name like i said my name is len i am a global enablement enablement and i'm a biohacker within a white hat and currently i work for cyberark software no okay

all right let's try this good afternoon my name is len now i am a biohacker white hat hacker and a global enablement engineer and i currently work for cyberark software uh today i'll be going through my presentation with biohacking and biohackers the invisible thread so a little bit about me uh yes that is a qr code yes i know this is besides no i'm not going to hack you with it it'd be a really bad career moves uh just a little bit of information about me i invite everybody reach out give me a hit up on linkedin and i've got some github uh content out there i've got a really nice youtube channel and hook up with me on

twitter uh on the right-hand side of the screen there's a little bit of my background and things that i've done so let's just get right down into it so let's get started by saying what does a cyborg look like you know when you hear the word cyborg what comes to mind maybe a terminator star wars star track everyone who knows the definition will probably have a vision in their head and i'm going to bet it's probably shiny um i hate to pop your bubble but that's really just not the case cyborgs are not only on the movie screens anymore they walk among us and you may be friends with one and you just don't even know it

these are my hands i'm a biohacker in the truest sense of the word i'm not only an augmented human with microchips in my hand but i'm also like i said a white hot hacker i am a hacker that has modified my body to take advantage of the technology to turn myself in to the attack vector i'm going to give you a little bit of an road map on what i have currently and where i'm going so as you can see in the x-ray above this is this first chip is called a flex next this is a long-range nfc rfid chip i have a next which is the same as the flex next but a little bit of a shorter range

i have a flex m1 magic this allows me to emulate any number of older access cards from public transit membership tokens to physical access i have a vivoki spark 2. this is a cryptobionic chip that can perform strong cryptographic functions and since the time of this x-ray i've actually uh added a couple of new toys like this magnet in my finger right here this one is actually a biosensing magnet that will allow me to actually feel electromagnetic currents works really well when doing physical pen tests if you're trying to trace electrical lines for magnetic locks and things um i'm also in the process of working on getting what is called a peg leg but we'll talk about that a little bit

further on in the discussion so augmented humans are not science fiction we're here we're not going anywhere and as the technology continues to evolve so are we

yesterday today and tomorrow i'm not going to spend a lot of time on the history of who we were just enough to show that the biohacker or transhuman is just the point where science technology and humanity meet the idea behind implanted technology inside the human body has been around since the 1950s the patent for the first cardiac pacemaker was submitted in 1952 and was the size of a table radio this was not fully implantable and also required leads to be connected to an external power source with the advent of the transistor in the mid 1950s the ability to construct a fully implantable device was achieved in may of 1958 and the first implantable technology was placed inside of a test

animal the first human to receive an electronic device implanted in the body was in buffalo new york in 1960 and the tech up to this point was pretty static and it didn't allow for much in the way of conditional execution modifications from the original programming 1964 gave host the first implantable technology to contain data from the body itself throughout the 70s and 80s and there were advancements that would set the world on its ear 1990 is when things really started to pick up for the implant community from the creation of smart prosthetics and devices all the way through to today where we the discussions around artificial intelligence are pretty commonplaces for biohackers our history was forged by

the medical profession to address deficiencies in the human body from a reactive perspective by that i mean the issues were already there additionally there were no options for an individual to enhance themselves through technology so that brings up the question of who are we today people like myself are referred to by many names biohackers grinders transhumans regardless of what names you want to put on us we all share the concept of moving beyond the human form we were born into the term transhuman was first pointed by julian huxley in 1957. the movement he created was fueled by the multiple people multitudes of people looking to extend the capabilities of the human body itself so where do you find implantable technology

same place we find anything else the internet now i want to say here i do not work for dangerous things i do not get a kickback from them these are just the guys that i use and the only reason i'm even including this information is because i get asked all the time after these talks where can i find more information about this stuff so these are the guys that i use again i'm not sponsored by them they're just the ones that i've picked so what kind of implants are commercially available you know we have magnets both lifting and bio sensing we have nfc implants we have rfid implants we have combination nfc and rib implants and we even have leds

for those of you who you know when you want to go out to the club at night and you want to have your your hands blinking we got you covered for that too you know i'm not going to go into the procedure that shows how we install these but let's just say there are needles at a minimum or scalpels involved and there's a lot of blood if you'd like to know more about that reach out to me afterwards if you've got questions but i don't want to gross anybody out on a nice saturday morning or afternoon depending on where we are so moving on what were these particular devices originally expected to be used for

you know we have the ability to start our keys automotive and keyless entries maybe you've got fobs for your office for your home membership tokens how about contactless payments i mean you guys over there in the uk you know there's a new implant that was recently released that's only available over there in your markets not even available to me here in the states yet it's called the wallet and this is a chip that you can actually tie your debit card to and make payments the same way you would through nfc contact payments via apple pay or android pay so this is all stuff that's actually coming at us right here right now unfortunately not all of us are friendly

you know as security professionals we need to start looking beyond what we're comfortable with beyond the normal attacks that we've heard about for years the attacks in the end game may not have changed but the delivery methods have come right off the movie screens and onto our into our company's infrastructures and data centers security admins know that the normal attack vectors such as usb drives phishing cdes the list goes on and on but how do you address the fact that any one of your employees could potentially have a full linux system to rfid or nfc chips beneath their skin what if someone implanted a hiv or proximity access chip there would be no evidence or indications of compromise of

any type to the naked eye for someone being in a reciprocal location chip implants utilize the same technologies that enterprises are using rfid door badges nfc for iot my fare and hid proximity cards these are just a few of the examples that are out there and all of them are currently available so let's talk a little bit about the outer frame with the number of regulations of audits that companies are required to do for compliance how would you know if someone has bypassed your security policy and brought a rogue asset into your environment simple answer is you wouldn't this is a peg lamp this is this a single board computer modified to a minimalist form factor

with a wireless charging receiver and then encased in biopolymer and implanted in the body this is on the outer edge extreme even for most biohackers this is not a simple process and making sure that the sdc is completely sealed has caused a number of individuals to have that have attempted this implant to require emergency removal surgery but this still doesn't stop many more including myself from trying to get one of these things implanted these devices have wi-fi as well as bluetooth capabilities and can be accessed over ssh from a mobile device this will this would allow a bad actor to have access to binaries or even something as widely known as responder they can be made into rogue access

points as well as command control servers the possibilities for concealed linux systems are only limited by one's imagination originally intended to act as a logless flyout transfer drop the peg leg was originally designed to leverage the pirate box software however as with anything in the technology space people took that simple idea and have branched out to more creative or devious areas based on your perspective full linux distributions have been implanted these devices are headless but have wi-fi access points configured to allow access to the implanted device once connected the attacker has access to a terminal for interactive processes or can be set to perform non-interactive scans and sweeps for low energy bluetooth it can be utilized for an

attack like blueborne or working in conjunction with a usb share application like virtual here an attacker could execute mouse jacking attacks and inject automated payloads with tools like jacket all while standing and having a casual conversation right next to you standing at your desk so let's move into the actual attack vectors that we came here to see today the first one we're going to talk about is the issue of physical access any company will have restricted locations on-prem whether that means executive offices to supply rooms to server rooms the need to keep restricted access restricted in some locations is just part of doing normal daily business i'd be willing to bet that there are a

large number of people in attendance that have an id badge on them or you know even if you're virtually everybody's seen those badges you know they're additionally i would bet a large number of people that feel that that type of badge and badge reader system is an acceptable risk from an audit perspective such as and as such should appease your c level executives the fact that your physical lac access is secured considering this is b-sides i really hope nobody here believes that you know how many people typically walk around with an access badge on a lanyard or maybe a retractable belt clip how many of us are spatially aware to the point where if we were talking to

someone like me would you notice if i called a little tool like a proxmark chameleon mini you know would you notice if i was able to get it close enough to your badge to where i could actually access it while we're talking i know i know i know i hear this every time i've given this talk there's no way that someone would be able to do that to me i hope you're right but i've got countless case studies and i've done it numerous times to know the fact that it does work and it can work you know the idea of cloning access badges has been around this isn't new technology this has been commercially available for now for over a decade

you know the difference of what makes this attack vector different is the fact that there's no key indicators of compromise once breached unlike the old days where an attacker would need to have a copy of the clone key or a battery pack for a prox mark to replay this great data now the attacker can write this information to a subdermal implant and then proceed with no way for a security professional to know how or what method they took to be able to access these types of locations so now that we've gone over the definition let's go ahead and get into our first attack demonstration this this attack i call the handshake this requires just a little bit of

social engineering and approximately so you know let's go ahead and let me show you what this looks like in real life so we're going to start off here and this is my phone so as we can see i've got the chameleon the proxmart chameleon application and here's my id badge and yes that's my actual id badge i know i'm the only guy that whose picture looks like he's a clipart but we go ahead and we scan that badge once we get the information in we can go ahead and we can take a look through it and we can dump the scan down there now we can take a look at all the different sectors we're going to rename

this to lens badge and before you guys decide that you want since this is b sides and you're going to try and use that it's a dead car but i give you credit for trying so now let's go ahead and let's scan the chip in my hand

again going back into the here we see i have a new uid and if i go ahead and we dump this as well you'll see that the sectors do not match now there are multiple ways to do this the point behind this methodology was to show that all i really need is that proxmark chameleon mini and my cell phone that's all i need and then once i've actually done the dump i can get rid of the prox market for the most part so now we're going to go ahead and i'm just going to do some quick and i'm just trying to get these into a better position where i can use multiple tools on my cell phone so we're just

going to save them up to my google drive long enough for me to be able to pull them back down and manipulate a little bit more so now we're gonna go over into the myfair classic tool and we're gonna go ahead and we're gonna import and i'm gonna grab those two dumps that i just grabbed one being my implant one being my id

this takes just a moment and then we're gonna be able to do a diff against and we're going to be able to show you how we're going to validate that they're different then i'm going to go ahead and i'm going to rewrite the actual id card back to my chip and then we're going to rescan it and do another diff and you'll see that every single thing matches up so once this happens there would be no iocs whatsoever for me to be able to be past some of your physical access restrictions so dump to be written lens id now we can actually go ahead and and use the cell phone for this just like that

new tag found so now we're going to go ahead and we're going to write the tag and it's that simple now i have a clone of my badge on my hand and for the record yes i have done this in real life and yes it does freak the people in the office out when i show up so we'll give it just a few seconds more while we finish the process so now we have lens id and my implant now we're going to go in and we're going to grab a new slot and we're now going to read my hand press the button data collection

let's go ahead and we'll do our dump so now we have a third and now if we take a look there and plant two now when we go ahead and we do our div and we compare the two you'll see that both of them now completely match so the idea that you know you can use any type of badging system on a single methodology i don't recommend it whatsoever any type of single point failure without multi-factor authentication these are the types of things that are capable out there right now

so that was our first attack vector that was handshake so now let's talk a little bit about nfc nfc or near field communication is an amazing technology that many of us have in our pockets right now every android device has full access to transmit or receive nfc data apple is a bit more complicated to explain functionality based on your ios version but the quick and simple answer is there is no native access outside of an application i don't see it staying this way so all of you ios people just be careful keep an eye on this android people if you're using nfc use it sparingly and be aware that it is by default a non-secured protocol

so just like i stated the standard nfc utilization can be almost anything from beaming a file to a co-worker or a friend or using a key fob or app to transmit a signal to a receiver here's where it gets interesting nfc gets its power from the receiver there's no internal power required to be able to keep a loaded tag in waiting the implant that i'm going to be using for this next attack is going to be that large antenna flex next nfc chip i'm going to be showing two different attack vectors around nfc the first one is going to be leprosy and then the second one is going to be called flesh so the first attack leprosy

this one may or may not always work because there are a few conditions that need to be met in order to execute properly nfc must be enabled and allow apps from unknown sources must be enabled under the developer's model at this point it's just a matter of social engineering a situation where i could get my hands physically on your device come on let's be honest if anybody's a decent social engineer you know you're going to be able to do this this attack as well as flesh hook are designed to be performed in plain sight and actually standing right next to my victim i don't think it would be a such a stretch to assume that if we work

together and maybe even if we didn't if i was to make some kind of scene about an issue with my wife or daughter or granddaughter and i was pleading for someone to help me make a phone call i know the good samaritan someone out there would be there to be my victim we all have a built-in name can control to try and avoid conflict as well as not wanting to be viewed by others and our peers as uncaring as an attacker i know this and i will do everything in my power to take advantage of it once the phone or tablet is in my hands the receiver in the device will pick up the tag i have programmed in my hand

that is pointing to a web location containing an infected apk that was created with msf venom anyone not familiar with mfs venom go check out metasploit it's an amazing tool so i've gotten the device in my hands the chip has prompted to either install or save the file i go through the motions of what appears to you to be making a phone call what i'm actually doing is loading an apk and then quickly returning the device this attack will provide persistence as well as a hidden icon so that the owner would not be able to see anything out of the ordinary as well as not finding anything in the applications list what if this was your work phone

what if this was the device that you did your banking with in this scenario i'm already in the phone before i've even left the room from my metasploit control server i can gain access to the contacts emails photos downloads essentially anything that is on the device and i'm going to show you that video right now so this one's going to go a lot quicker than the last one in the top pane well this is my ngrok session for obfuscation and i'm going to go ahead and i'm going to launch my meta split console from here i'm going to just load up my resource file to get my listener correct and i can go ahead and launch it

so we've got our listener sitting there at this point you know here's the cell phone oh my goodness help you know there's a problem get close enough and just look at just like that it's going to prompt and what we're going to see is do you want to download this apk and install it all the while i'm pretending to just sit there going i can't remember my daughter's phone number what's going on uh hang on yeah that's what it is you know uh 444 uh uh i'm not sure what what is the phone number uh oh wait a minute oh wait my wife just i'll call my wife here's your phone back it's over it's already open

at this point you can see we now have a spawn interpreter session we can go in run assist info i'm on i'm on the android dump call logs at this point it's basic post exploit commands grab your sms even pop a shell and navigate into the actual android o file structure now i'm not going to dig too deep into this for the sole purpose i'm not going i'm not here to talk about the metasploit attack i'm here to talk about the human as the attack vector so just that quickly i was able to actually pop a shell on an android device simply by touching it for the final demonstration i'd like to induce excuse me introduce flesh

in this used case i've programmed the chip in my hand to point to a specific website that's been compromised with the beef suite beef is the browser extension exploit framework this infects or hooks the browsers of any devices that connects to it and allows remote code execution as well as persistence through the beef suite an attacker can enumerate the local land device it's connected to as well as execute advanced phishing attacks executed on the device itself again this requires a little bit of social engineering but as we just talked this probably is not going to be that big of a problem what makes this attack more dangerous than leprosy is that there's no need to install

anything along with the fact that most mobile devices have some type of web browser pre-installed nfc in a browser are the only requirements for this attack to function so let's go ahead and let me show you what this looks like again sitting on my parrot desktop we're going to go ahead and we're going to start beef takes just a moment all right so now the beef ui is there okay so now what i'm going to do is i'm going to go over and i'm going to log into my beef control panel

and in preparation for hooking a new browser so now once again got a cell phone all i need to do is just get close enough to it in order for it to read my hand and this will read through the palm of my hand in this case i've made a copy of the putty website it is actually a clone and if we take a look inside the beef suite you can see that i've hooked the new android browser that fast you know i'm going to show a couple of quick examples just to show that i do have an actual live connection but i'm not going to spend a lot of time digging deeply into the functionality of beef because that's

not the point this is just to show that we do have an actual connection so we're going to get the geo location of where my device is at this point in time so if we take a look it says look at that texas city pflugerville well i do live in texas and flavorville is pretty close so that's pretty scary in and of itself you know we also have the ability to detect certain types of connections like i said i'm not going to try and take credit for the beef suite just the methodology that i use to be able to connect to the beef suite so just puts around in here for just a few minutes just to show that we do have

some live data coming in just like that so at this point who will we become you know we see where we are today where is this technology going to take us into the future you know when we talk about the future of implants as if it's almost as if we're trying to write a new science fiction movement companies like tesla are working on technology like the neuraling a brain implant that will allow interfacing between the brain directly to a computer system this sounds like a man-in-the-middle scenario just waiting to happen products like the will it a bluetooth receiver that requires no batteries and gets its power from the air and we all know that bluetooth is

completely secure and not vulnerable right never heard of blueborne imagine if that attack could jump from person to person what about implantable wi-fi transmitters and receivers there's a product in developed right now called neurograms nobody's ever been able to compromise a wi-fi network imagine if you could infect a human being without with a web-based virus these are just what we know about currently the biggest restriction to advanced technology implants is still the power source there's not currently an effective way to provide clean power to any devices on a commercial implant this is the same issue with the peg leg and the need for the indirect fast charger it's not always the computer technology that needs to catch up

in this case the only thing holding back progress is power once that's been addressed the possibility of 24 7 access to an embedded system in the body is not a far stretch i want to take a moment to talk about the legality morality and ethical issues around implanted technologies from a legal perspective i'm going to talk about the united states because that's where i live there are no federal laws regarding microchip implants at the state level as you can see from the graphic here there are multiple states that have adopted different types of legislation there are essentially two types of laws that have been passed around microchip implants in the united states one is mainly focuses around employers

and one that is much more general there number one there is a ban on employers mandating employee microchipping there were a couple of states where employers were trying to force microchips as a way to deal with time clock and attendance and this was shot down quickly and then there are some states that just have a general ban excuse me on individual microchipping period so let's talk about the liability from an employer's perspective if an employee got microchipped does that in and of itself make that employee a security risk what if they're just using the chip to access a gym or a garage or has absolutely nothing to do with the company but the chip could be used in an

offensive manner would that be something that a cso would want to know we allow employees to bring personal phones to work excluding restricted areas but detection of this is very very obvious much of the current legislation stems from a push to replace access badges with implants for physical security but does this mean hope for my i lost my badge perspective it does not enhance the security posture for a company remember implant chips at this point are static they require a reader or power source to be able to function now just like with the handshake attack bad actors could use the same tools and scrape the target implants information the same as if it was a

physical key the one main difference is that you can take your key your key card you can lock that at home when you go out implants are on all the time if there's a receiver within range they will read the chip there is currently no off switch and as such attackers now have 24x7 access to physical access data because it's with you wherever you go you know to that point you know you saw my my x-rays i actually had to have special faraday gloves created just to have the ability to turn my hands off when the concept of morality and ethics come in unfortunately the topic of faith comes into play i want to take a quick moment to say i

am in no way trying to be disrespectful to any religion faith or ideology and i'm just speaking to the questions that i have personally heard as an international speaker i've had the discussions with people all over the world about my implants you know these discussions typically go in one of two different directions mostly most of the time it starts from either fear of being tracked by the man i've been asked if it's like the same chip that people put in their dogs or cats all of these conversations are driven by the fear of the unknown or the different i've had an acquaintances tell me that they're physically afraid of me due to the fact that i have implanted

myself i really don't know what they're afraid of it's almost as if they think i'm going to turn into a terminator and go on some kind of a rampage it's not the case the truth is that there are more people like me out there than you could actually imagine the difference is i don't have a problem with people knowing who and what i am many others like me keep their implants secret over the concern or the social stigma associated with chipping the decision to augment ourselves should not hold no weight in regards to the issues of faith or morality provided the decision is still left with the individual and not a mandate from any type of authority like

i said earlier not all of us are friendly but most of us are so finally the question is how far is too far you know we briefly touched on tesla's neural link and the peg two very different products with broad sweeping ramifications to the individual as well as employers and law enforcement i remember a movie from back in 1995 called johnny nemonic where the lead actor has a hard drive in his brain and is used as a storage device by a courier for stolen data or the matrix where we learn a new skit to learn a new skill we just load the instruction set and we have all that knowledge within our minds the genie is out of the bottle and

there's no way it's going back in as technology continues to advance and improve the quality of life we need to remember that any tool regardless of what its original intent was can be misused as security professionals we need to be aware of this and adopt our countermeasures to include this new attack vector the fact that there is nothing unilateral across the board it will most likely become a corporate decision on how to address shipped employees without a better understanding of the technologies being discussed these choices may be made for the wrong reasons to say anyone with an implanted technology is an automatic threat would be to say that any car owner could be a vehicular homicide suspect

so takeaways this is where we start getting into where we go next within the next week try to identify if there may be any contactless systems that are deployed within your environments within the next three months start looking around to see it and you should have a full understanding of the scope of your vulnerabilities as well as starting to evaluate and define the addition of new security protocols to add a second factor to your contactless configurations excuse me within the next six months you should be at the implementation stage of the second factor this will remove an attacker's ability to compromise access with only the tag information i want to take a moment to talk about

some of the mitigation strategies around both rfid and nfc you know like i said before single factor not a good idea in my opinion period but look into switches switches require both the rfid tag as well as a code on a keypad essentially multi-factor for rfid lock passwords a lock password is a 32-bit password which must be transmitted before a tag will transmit its data skimmers will be unable to access that data since they can't provide the password take a look at you know basic access controls the reader must supply a specific key before the tag will reveal any personal information blocking potential skimming this com this method is pretty commonly applied to protect the sensitive data

stored in passports from being read by outsiders so same technology and mutual authentication in this process the sensor will send a line of code to the tag the tag will decipher it using the key which is known to both entities if the tag is successful can then send a line of code to be similarly deciphered by the reader once the both the tag and the reader are certain that they are they are who they say they are then they can start transmitting their data when it comes to nfc the most important advice is if you're not using nfc turn it off stay on top of patch management as pa as manufacturers update firmware be vigilant and staying current on your

firmware in any aspect of contactless technologies rfid nfc especially educate your employees educate people about the fact that nfc protocol in general is non-secure everybody thinks that ease of use being able to beam a file yeah that's great don't leave it on there will be somebody out there like me and finalize utilize blocking shields for tags and cards when they're not in use the idea that we all leave our badges just sitting on our sides this is bad business i understand that a lot of companies want to be able to see the you know your face get some rfid and nfc blocking sleeves for these things don't become a victim to someone like me with that

i would if there's any questions i've got about uh six minutes otherwise i'm done i wanted to say first and foremost thank you all very much for allowing me to present today i hope you found the content at least interesting and my hopes are that we can actually start moving this conversation forward the transhuman movement we are not going away and there are more of us than you think i'd like to as just a word of uh option if anybody wants to grab my information one last time here it is i again i would love to see you guys when i get the opportunity to come back over to the uk um reach out to me over linkedin if you

have would like to have any further deep dive discussions i am a very approachable person and i will answer all questions that are thrown at me typically i respond within 24 hours but with that this concludes my presentation on biohackers the invisible threat i thank you all very much for your time in attendance and i look forward to seeing you on the real world again and hopefully everybody stays safe and with the health situations and i really look forward to all of us getting back to normal as soon as possible thank you very much for your time