Florida (mad)man inserts NFC chip in hand for Android ‘biohack’
A hacker reportedly embedded an NFC chip inside his hand to infect and control Android devices. The exploit seems relatively inane, but the concept of 'biohacking' could have far-reaching security implications.
By Al Sacco
Something tells me Florida-based, U.S. Navy Petty Officer Seth Wahle is a bit of a character. Wahle, who is also an engineer at APA Wireless, tells Forbes.com that he paid an “unlicensed amateur” $40 to insert a small NFC chip housed in a glass capsule into his hand, between his thumb and forefinger, in an attempt to “biohack” — when electronics designed for hacking are embedded in the body — and control Android phones.
Wahle apparently programmed the chip in his hand to open a webpage when in range of an NFC-enabled Android device. The page initiates installation of a malicious Android .apk file, which can be used to remotely control compromised devices. In a Forbes demo, Wahle supposedly used the exploit to take a picture of himself using a remotely controlled device and the Metasploit software on his PC.
Of course, the man could have done the same thing with any NFC tag, even if it was just in the palm of his hand or discretely taped in place — no amateur surgery required. Also, the target Android device would need to allow the installation of third-party apps, a setting that is turned off by default. The perp would need an unsupervised minute with the device to initiate and confirm the app install. If the device were passcode-protected, it would somehow need to be unlocked, which means the actor would have to also steal a password or somehow dupe the owner into providing access. All of which is unlikely to occur without alarming the device owner.
I’m not at all sure this story isn’t an elaborate fake, albeit an entertaining one, though Wahle is apparently set to demonstrate his act at next month’s HackMiami conference. (He is listed on the event’s speaker page.) First of all, Forbes says Wahle inserted the chip into his left hand, but it shows before and after images of a right hand. Then there’s the chipeating grin on Wahle’s face in the image he supposedly took via the compromised device. (See above; I don’t trust that guy as far I could toss him.) Forbes also said the man demonstrated the exploit, but then it goes on to mention a Skype call, which could easily be used to fake a demo.
Skepticism aside, it’s interesting that hackers are actively experimenting with biohacking techniques. Tiny chips like the one that reportedly lives in Wahle’s hand apparently don’t show up in airport or other security scanners, so they could potentially be used to exploit sensitive systems in secure environments — and they could lead to more advanced, and more intrusive, threat detection systems.