HACKERS are getting under the skin of victims in more ways than one … even going as far as having the electronic tools of their illicit trade embedded in parts of their own bodies.
US-based ‘ethical hacker’ Len Noe made his startling revelations during a visit to Bahrain yesterday and showcased what the bio-implants in his own body can do, from paying for soft drinks to installing malware on a phone.
“And, to top it off, my implants have not set off any airport security red flags, despite all the travelling I do regularly,” he said, to prove the point of how the security landscape has changed.
Part of the ‘trans-human’ movement which advocates for the enhancement of the human body using technology, he already has 10 bio-implants – two bio-glass and eight flexible membrane - already embedded in him, ranging from a digital identity microchip to a credit card and RFID tag.
“When I saw that consumer grade, reliable and safe bio-implants were becoming available, I looked at it through the eyes of a hacker and realised this is about as great of an obfuscation as you’re ever going to get,” Mr Noe, who is a technical evangelist and resident biohacker for cybersecurity firm Cyber Ark, told the GDN.
“One case in point, ‘badging’ systems to get into a building is a popular hacking target and in the past, you’d have to have a tool like a ‘Proxmark’ or a clone of an entry card, so when the authorities came there would be some indication of how you did it.
“But, with a bio-implant, they wouldn’t be able to notice or detect the equipment, and also, in places such as the US, implants are protected by medical records privacy laws, so they would not be able to find them on your person without a court injunction.”
Mr Noe was talking on the sidelines of a workshop about deconstructing cybercrime held at the Wyndham Grand Manama and organised by Hilal Computers.
Ethical hackers are individuals who hack into computer networks in order to test or evaluate their security as a challenge rather than with malicious or criminal intent.
While some of his implants are practical, like the credit card chip, which has to be changed every three years, many of the embedded chips are hacking-related and paint a somewhat paranoid picture of the future and a useful warning of challenges ahead.
If Mr Noe was to ask for someone’s phone to make a quick emergency call, the near-field communication (NFC) chip inside the back of his hand could instantly pull up a website injected with what is known as BeEF (The Browser Exploitation Framework), which will rapidly install some malicious code on the phone, giving him complete access to it.
Mr Noe also showed the GDN how a chip in his left forearm authenticated his identity with a tap of his phone against it.
As he talked about the credit card embedded in his hand, Mr Noe fondly recollected the responses of people whom he tells them about his implants – including an incident at an airport where, after seeing Mr Noe get a drinks can from a machine with a wave of his hand, a woman started hitting the machine, not realising that he had paid for the fizzy pop with his bio-chip.
“Currently, there is no way to even detect these although there is a new type of dog training in the US which has been training canines to sniff out electronics, and I’m hoping to test a few of the dogs out, to see if they can detect my implants,” Mr Noe added.
Having worked in cybersecurity for 30 years, bio-implants are just the latest security challenge Mr Noe has seen, although they are far from prevalent at the moment.
Threats have evolved from malware-infested email links to spam-laden QR codes and corporate networks taken down by ransomware.
“The biggest threat in the Gulf and Bahrain is the same as everywhere else – cookie harvesting and ransomware, with hackers targeting infrastructure, banking and healthcare because of their dependence on technology and the high potential for payout,” explained Mr Noe.
Cookies, in IT, refer to small pieces of code saved on a machine after visiting a website that helps it remember information about the visit and cookie-harvesting involves tapping this data for nefarious purposes.
“For example, if a hacker can get a cookie or session token that has already been authenticated through multi-factor authentication, they can bypass that entirely,” added the US-based Mr Noe.
Ransomware – malicious software designed to block access to computers and networks until a sum of money is paid – has taken down hospitals, oil pipelines and banks around the world.
“There is a lack of awareness around how to best protect a company’s technology-connected assets from these attacks, and many of our clients used to think that a firewall or antivirus is sufficient,” Hilal Computers director Shijas Mohidheen added.
“Today’s threats require multiple counter-mechanisms, from two-factor authentication to access management and security monitoring, after we do an assessment of their current situation.
“This is either through a ‘red team’ approach – where they intentionally give us no information and we have to look at their network from a hacker’s perspective – or a blue team model – where they ask for assessments on specific elements in their network.”
Mr Noe and the Hilal Computers team highlighted potential attack vectors, as well as solutions, during yesterday’s session, noting that the most sophisticated-seeming attacks begin with hackers having a simple goal – getting access to employee devices, or endpoints like computers or mobiles, and then finding ways to elevate access.
As for the future, individual consumers, companies and the long arm of the law will next have to find out ways of fighting bio-implanted cybersecurity threats. You have been warned.
naman@gdnmedia.bh
&uuid=(email))