Got some new hardware installed.

24 July 2019

For a couple of years now, I've had my eye on the community of people who've had RFID or NFC chips implanted somewhere in their bodies, usually in the back of the hand.  If you've ever used a badge to unlock a door at work or tapped your phone on a point-of-sale terminal to buy something, you've used one of these two technologies in your everyday life to do something useful.  What I've wanted to do for a while was use an implanted chip as a second authentication factor to my servers for better security.  As for why I couldn't just use something like a key fob or a card or something.. there were a bunch of reasons, most of them having to do with only being able to find what I needed in bulk or the cost being too high because the equipment was aimed at corporate IT departments, where they have a need to crank out a couple of dozen ID badges an hour.  There is also the fact that, while I've been curious about various forms of body modification over the years I never really got into into them for a couple of reasons that probably aren't terribly interesting so why not do something useful?

Due to the fact that not everybody is going to be okay with me talking about an elective medical procedure, I'm going to put the rest of this article after the fold.

What proved to be a more significant problem was actually getting the procedure done.  After making the decision and realizing that there was little to no chance that I could install it myself I had to find someone who could implant the chip for me in a reasonably safe manner.  This took a couple of years, including a few failed attempts to get to the biohacking village at Defcon.  Early last week through a backchannel, I found out that Amal Graafstra of Dangerous Things and pretty much a vanguard in the field of elective implantation would be speaking at a nearby meetup and he'd have a batch of injectable chips with him.  Of course, opportunity was knocking and I hit the button as fast as I could before rearranging my schedule a bit to accomodate.

Cutting to the chase, the installation procedure was fairly straightforward albeit a little hairy in places.  The kit that I had purchased was the NExT RFID/NFC hybrid implant, meaning that it has the capabilities of both wireless tags in one tiny glass capsule 14mm long by 2mm in diameter, about the size of one or two large grains of rice.  The chip is small enough to fit inside a 14 gauge needle attached to a one-shot injector.  It was a little bit bigger than an IV cannula (though I might be overestimating slightly).  Also included in the kit was a chlorhexidine surgical prep, the same kind of tear-off bandage used to hold IV lines in, a couple of sterile gauze pads, a pair of nitrile gloves, and a disposable surgical field that unfolds onto a flat surface.  The injection itself was complicated by a couple of connections in the back of my hand that had to be routed around, so rather than "jab, inject, withdraw," the procedure wound up being "jab, root around a little bit, inject, carefully withdraw so nothing gets nicked."  This is more an artifact of my body than anything someone else would have to worry about.  For this reason it hurt a bit; I've never gotten a piercing before, so the only thing I can compare it to is getting an IV put in the last time I was in the hospital.  Total installation time was eleven seconds (after watching the video).

It's two days later as I write this and the only sign that anything happened is a 1/8" scab between the thumb and forefinger of my right hand.  There's a little bit of creeping bruising, probably due to my reaching in to a reasonably narrow jar repeatedly to scoop out coffee.  The chip is small enough that I can't actually feel it unless I'm right on top of it, and even then it's only the tenderness around the unit that registers.  It's between the hypodermis and fascia, maybe a quarter of an inch down if that.  Weirdly, the first day after I was getting some phantom pain on the opposite side of my body.  That went away by Friday and now I just have a slight ache in my hand if I type a little too hard.  The chip isn't embedded in the musculature, nor is it coated with a surgical bonding agent so if I ever need to get it removed, I can go to a general practitioner and have it done in maybe ten minutes time (with a local), or a bit less without one with a scalpel and a little pressure.  The soft tissue surrounding the chip (and along the injection channel) should be fully healed up in about two weeks, I'm told.

Following the obligatory "Why in the hell would you do such a thing?!" conversation when I got home (which is entirely fair), I thought it might be useful to someone out there to write up a few of the things that came up.  The implanted chip is passively powered, meaning that a signal from the reader (RFID or NFC, they're not the same) is what powers it.  It's not active all the time.  The range of the chip is very short; you quite literally have to have the sensor sitting right on top of it due to the fact that it doesn't technically have an antenna, it has a miniature inductance coil.  The signal is also undoubtedly attenuated by the fact that it's inside my body.  All in all, you'd have to be within a quarter inch of the glass capsule to read the chip, and that's a generous estimate.  In addition to that, I discovered that the position of the reader relative to the orientation of the chip is important and makes it somewhat difficult to access.  A certain amount of turning one way and another is necessary, as is moving the sensor around a bit so it picks up.  So, this chip really isn't useful as a tracking beacon.  You'd have to be sitting on top of me to pick up the signal, and by definition then you wouldn't need to track the signal.  The implanted chip doesn't have any sensors on board, nor is it capable of carrying out any calculations on its own (though there are a few implants capable of this, but of course they also need to be externally powered by a reader).

In theory I could store whatever I wanted inside the chip; I don't have an interactive RFID reader yet, but pinging the NFC part with an app on my phone reveals (among other things) a serial number which looks a bit like a MAC address, the amount of storage space (820 bytes), and a URL (dngr.us/NExT).  My phone says that I could add a few more records to the chip, erase it, or even set an admin password to keep people from messing with it (which I'm going to do).  On the RFID side of the house, it's fairly easy to get a reader which plugs into a USB port and pretends to be a keyboard, meaning that whatever is on the chip gets typed into whatever terminal or window is open, including a secondary password or a certificate.  RFID is less secure than NFC, though, so I might reserve it for shenanagains the next time I go to a con.  I think that's going to be my next project.