An Uncomfortable Scenario
You’re in a foreign country, and you’ve been mugged1, completely — you’ve got the clothes on your back, and nothing more. Maybe you beg a phone call from someone to get in touch with a loved one to wire you some money. You’ve now got enough to buy a basic phone and use wifi to access Dropbox or Google to get at important papers, password manager data files, credit card numbers to set up contactless/mobile pay, etc.
You get the phone, enter one of your few memorized passwords (cloud provider, password manager, and disk encryption are my three!), and are greeted with an MFA prompt.
Damn.
You don’t have a second device to tap Yes on. You don’t have your TOTP generator app. You don’t have your recovery codes. Your digital bootstrapping is halted in its tracks.
Bummer.
Like many people, my digital life is fairly 1:1 with my actual life — catastrophic loss of all data I own would be, well, catastrophic to my life. I can and do mitigate this risk with aggressive backups over multiple services (local and cloud), but ultimately, a recovery needs to start somewhere, and given the value of those on-ramps, they’re all protected by MFA.
But what happens when I need to bootstrap myself without my TOTP tokens, recovery codes, or physical keys?
An Inside Job
“i carry my 2FA with me(i carry it in
my left arm)i am never without it”
ee cummings, sort of ref
My subdermal secure element (center, with loops)
In my left arm, I have a surgically implanted body-safe subdermal secure element, the NXP SmartMX3 P71. This is a JavaCard platform, capable of running multiple applets and interacting over NFC — essentially, the minimum form factor of a Smart Card.
One of the applets I have loaded is a NFC FIDO token (like a Yubikey), and I’ve associated that token as a second factor for all my most critical services. With my memorized password, a completely fresh device, and the second factor from the FIDO token inside my body, I can bootstrap my digital existence anywhere, from nothing.
Body Safe Microchips
Body-safe subdermal RFID chips are nothing new — we’ve been chipping our pets for identification for years. In the hobbyist community, the chip-in-a-glass-tube form factor gives an easy, safe way to keep electronics inside the human body. Most chips are delivered via a pre-sterilized injector: unwrap your order, choose a safe location for the chip in your body, clean the injection site, and in/depress-plunger/out, slap a bandaid on there. It hurts less than a piercing (the needle is about the diameter of a moderate to large piercing needle), and is quick and easy. Advanced piercers/body modification artists are usually happy to do it (many have experience), but if you’re not squeamish, some (myself included) choose to DIY2. I’m not going to get into safety/risk/legality here, and you can of course do massive amounts of damage to your body with sharp implements, but it’s not really that extreme as far as body mods go.
As you heal, the body encapsulates the chip as a foreign-but-generally-non-reactive entity, and it’s more or less locked in place where you put it. They’re generally MRI safe, don’t set off metal detectors (less metal than your shoes’ eyelets), and require no adjustment to your life beyond trying not to smack them against concrete etc.
This simple form factor has given rise to dozens of chips that follow the same simple implanatation steps — NFC chips, HID prox card emulators (via T5577 emulator chips), DESFire chip emulators with hacked serial number pages so you can clone many “proprietary” access cards, and more. I’ve even got an implant that gives you my vCard when you scan it (boring NFC chip capability) and harvests power from the inductive coupling to blink a bright green LED at you from under the skin (crazy cool party trick). You can even get glass-embedded magnets for EM field sensing and lifting-beer-caps-and-paperclips tricks, although they’re not usually as performant for sensing as the (old, dangerous, yolo-style) parylene magnets (which I had for five years; not biased at all) or the (new, very safe) titanium-encased magnets that are the state-of-the-art nowadays.
However, the tight spiral of antenna the glass-capsule form factor requires is not stellar when faced with receivers that are used to scanning gorgeous, large planar spiral antennas. It’s just enough to get through skin to a reader if you know the reader’s sweet spot, but it’s not usually a stable enough connection for large data transfer or more meaningful power delivery.
Futureproof, Waterproof
Enter the Flex series, from Dangerous Things, the premier (and one of the only) companies pushing the envelope in this area, run by Amal Grafstra (not sponsored; just a big fan). Flex implants trade the tight helical antenna for a flat planar antenna encased in a biocompatible resin, greatly boosting read distance and power delivery, and thus enabling more interesting compute. Dangerous Things offers both a generic and app-locked3 version of the NXP SmartMX3 P71, which can run just about any applet that fits on a smartcard, including:
• FIDO tokens
• Tesla vehicle unlock
• Onboard cryptography (keys never leave your chip)
• Crypto wallets
• Anything you can dream up using JavaCard, a limited subset of Java for low-power embedded devices
You program a smartcard using a generic smartcard reader, which are a dime a dozen. Once you’ve loaded one or more applets, a reader that is looking for a particular applet will chirp a program-select command to the card, which will load the applet if it exists, and then communication can flow.
With the planar antenna, reading from a phone is pretty easy; for unknown devices, I usually give a slow slide across my arm to find the NFC antenna location in the phone, but once I’ve got it, comms are super reliable. I’ve often had issues getting my glass capsule chips to read on phones I’m unfamiliar with, but the Flex series chips read every time for me.
If it wasn’t obvious from a general storefront and associated lively forum, there’s a not-insignificant number of folks with implants like this. It’s not super common, but there’s probably more than you’d think.
Implantation
Remember the pretty-straightforward implantation process for the glass-encased chips? Yeah, that’s not the case for the FlexSecure. It’s a flat, narrow rectangle, not a glass bead, so no easy injection.
Body modification shops have, from what I can learn, an uneasy truce with the government in how far they can go before they start to earn the ire of enforcement agencies. It seems, generally, that staying away from scalpels and anesthesia gives shops the best shot at not running afoul of “practicing medicine without a license.” Thus, the FlexSecure, while ideally done with local anesthesia and skin elevators, is typically inserted by using a large gauge (half-centimeter wide) needle that creates a pocket/slit once the channel is flattened out, then the chip is fed in to a reasonable depth that the body won’t squeeze it out during healing. No scalpels, but also no anesthesia.
It hurt a fair bit. It’s the only body mod I didn’t do myself; I have no confidence that I would be able to work effectively through that level of pain. The anatomy in the forearm is also a lot less forgiving: the ideal spot for glass chips is in the skin between forefinger and thumb (the “sweet spot” AKA “thenar webspace”), above the muscle. Generally, that spot is very anatomically and vascularly uninteresting. The forearm has much tighter skin with much more important nerves, blood vessels, and muscles floating around (i.e. tightly sandwiched), so it’s much more important to get your entry angle good, keep depth consistent, etc. Self-implanting glass capsules is already kind of goofy but defensible; 5cm of travel with a needle the size of an apple corer (not quite, but it feels that way!) one-handed is untenable.
The needle is inserted and advanced up to the black marker, and the chip is fed in.
Outcome
This is really out there. Implanting foreign objects in your body carries a pretty significant risk profile. It’s generally low in the absolute when done by someone who knows what they’re doing, but relatively sky-high in comparison to not sticking non-medically-approved things in your wetware. But it’s different, and it’s functional, and I think that’s worth sharing.
The chip works great. It, and all of my RFID implants, have had no complications or major migrations. I will admit I use it rarely — maybe once every few weeks to confirm functionality, or when I need to do PGP encryption/decryption away from my PC (my full password list lives, PGP encrypted, in my FIDO-protected cloud storage). However, it feels amazing to know that I’m bootstrap-ready no matter where I am or what I do (or don’t) have with me. I gotta be honest, it also feels super cool to have a computer inside my body; it’s my own weird little flavor of body euphoria.
Plus, it’s a great conversation starter and party trick!
Want to learn more about my implants? Check out the implants page.
FAQ
[distilled from my implants page
No, I’m not crazy; this is an education-supported interest, not a compulsion. My risk profile and exploratory nature are a few standard deviations off median, but this was done with my eyes wide open to risk.
Yes, it’s complicated to explain to doctors, but they’re usually fascinated (once an implant is settled (infection-free and non-migratory), the risks drop to near-zero).
Yes, all the implants hurt a bit, and the secure element implantation was a lot of pain. If I had to compare it on balance, I would ascribe it in pain-intensity to a badly stubbed toe: hurts a lot, the pain eats your consciousness for under ten seconds, then it’s merely annoying. [I suffer from chronic pain since childhood; my agony-meter may be miscalibrated. Caveat emptor.]. My other implants were equivalent to or better than getting your ears pierced.
No, I have no trouble at the airport or getting MRIs; the implants have less ferrous metal than a tooth filling. My magnet implant was not MRI safe, but didn’t set off metal detectors – in the very unlikely event I would be MRI’d while unconscious, I wore a medical alert necklace explaining my situation.
Yes, it can be used for payments, in that it supports the necessary protocols to do so. It practically cannot, though, as the crypto keys needed to sign payments and participate in the EMV ecosystem are tightly controlled and Visa/Mastercard/etc. don’t give them out to individual hobbyists nor more-well-assembled groups that nonetheless want to do crazy things with chips and surgery.
Yes, I felt all sorts of things around me when I had my magnet implant – my favorite was walking through a store’s anti-theft bars which oscillated at a powerful and low enough frequency to be felt exceptionally clearly. However, I could also feel motors spinning up when I was close and even a faint tickle from 60Hz wall-mains if an extension cord was under heavy load. My most annoying trick was abusing MacBook’s magnetic lid sensor to touch a spot on a coworker’s laptop and put it to sleep (done very sparingly!). The most useful trick was extracting and holding small screws during laptop maintenance.]
No, the secure element is not vulnerable to proximity attack any more than a keychain NFC FIDO token is, except moreso, because I’m going to feel someone futzing with my arm (and they have to know it’s there in the first place). Yes, it’s vulnerable to a rubber hose attack, but so is my brain!
Yes, I love talking about my implants, if you couldn’t tell from the blog post. I’ve been interviewed about them for television and various articles and am always happy to answer questions! If you’re curious, feel free to drop me a line.