Is “Biohacking” our future?

The term “biohacking” has developed several definitions over the past several years.  It has, however, increasingly come to refer to implanting of devices into one’s body in order to interface with technology.  e.g. the implanting of microchips for payment and other services.

From my perspective, I really dislike this term, especially because many people in the technology arena are advocates of this practice.  To me, it seems silly to take a word that typically has a negative connotation to people, like “hack”, and apply it to something you see as positive.

Regardless of the terminology, the real question lies in whether or not we should go down this path at all.  The debates range from technological advancement and the natural progression of technology to moral questions and even apocalyptic omens.  I’m not sure where you might fall in this, but for me, it is somewhere in the middle.

If you read my blogs at all, by now you should know that I love technology and have built my career around protecting people from the misuse of technology and trying to make to productive to increase the efficiency of our lives.  While I do understand that there is a natural progression to anything, including technology, I do think we forget to ask ourselves if the next step is really one we should take.

According to a recent article from Hacker News, “Marketing solution provider Three Square Market (32M) has announced that it had partnered with Swedish biohacking firm BioHax International for offering implanted microchips to all their employees on 1st August, according to the company’s website.  I encourage you to read this article and truly develop your own opinion on the subject as I think we will start to see this trending more and more.

As an IT professional, I totally see the benefits and security of this type of access control and monitoring.  They refer in the article to things such as door and computer access as well as vending machine purchases.  This is, in many ways, an IT Director’s dream.  One of the first positives that I see is that we essentially are eliminating the need for passwords on our computers if the access is controlled via these devices.  We, therefore, take the human element out of the equation of computer access which will always make IT people happy.  Or will it?  Let’s think about the new security concerns and other questions that will arise.

Security and other concerns:

  • How do you handle these devices once the employee has moved on from the company?  Do they keep it or do you have to have it removed?  What is the expense either way?
  • The devices use RFID to communicate.  How easy are these devices and/or their frequencies to copy, manipulate, or duplicate?
  • What are the long term health implications of these devices inside the body?
  • Are there other health concerns such as pace makers, defibrillators, etc?
  • Can the device or frequency be tracked off-premise or even via GPS?

These questions make up just a few of the concerns that will inevitably arise.  As with the case of introducing any new technology, we introduce an entirely new set of concerns and avenues for security breaches, many of which we are unable to see until we have implemented said technology.  Many times, it is near impossible to foresee all of the new issues and attack vectors that will arise from new technology implementation.

The hardest part for me is that I am such an advocate of new technology and where advancements are taking humanity.  I appreciate them and usually “geek out” over them initially.  However, I find myself having an ever-increasing reticence with things like biohacking and biometrics.  On the surface, they seem to just provide convenience and more peace of mind.  I contend, however, that many of these new technologies, especially authentication technologies, should be carefully examined and tested before implementation.  If there is one thing history has taught us, it is that if someone wants into something bad enough, they will get in.

Some food for thought for us all I suppose . . .

Stay connected.  Stay safe!

Austin Bynum
Chief Watchman
Cyber Watchtower

Austin Bynum has spent the last 18 years working in IT and network security.  His passion is to ensure everyone stays safe online and digitally.  His belief is that everyone has the right to be safe online without having to be their own expert.

Passwords vs Biometrics?

Most people are of the opinion that the use of biometrics will soon take over the use of passwords as we progress technologically as a society.  For those who don’t know what I’m talking about, biometrics are some sort of unique identifier belonging to you that exist somewhere on your body e.g. A fingerprint.

If you use fingerprint identification on anything, then you know how much simpler it can make your life when accessing your information. Most of the modern smartphones and even many laptops have this capability now.  It is hard to argue that the use of biometrics is typically faster and simpler overall for the user.

A recent incident has brought some pretty large attention to the issue of biometrics.  Self-service food kiosk vendor, Avanti, has been a victim of a malware attack that, according to them, has most likely compromised customer biometric data as well as their first name, last name, credit card number, and expiration date.  This attack is also one of the largest, successful Internet of Things (IoT) attacks and according to some reports, up to 1.6 million people could be impacted.

The most major question to me arising from this incident is one of overall security involving biometrics.  While it’s true they are typically easier and faster to use, it’s not exactly like something you can easily change if it gets stolen.  If your password or even credit card data are compromised, those at least you can change.  However, if your fingerprint or other biometric data is stolen, those are not things you can change.  This question and others relating to biometric security are continuing to resurface after incidents such as these.

So, what is the solution? In my mind, we always increase security with a multi-layered approach.  In the case of logging into something like this, one might have a password and biometric data as a form of two-factor authentication. The flip side of this is that users would most likely complain that now the system is more cumbersome to use.  Yes, their data might be a little more protected, but the technology that made their life easier just got more complicated to use.

While I still believe in two-factor authentication, in the case of Avanti’s breach, the data would still be compromised.  So if you are an Avanti customer, your biometric data might be in someone else’s posession now.  I know, it is scary!

While I still think that biometrics still represent a lot of our future authentication, the question must be asked about securing that data, how it is stored, and how it is transmitted.  According to Brian Krebs and his research, some simple technological applications to the kiosks themselves could have prevented this breach easily.  The kiosks fell victim to a known Point of Sale (POS) family of malware known as PoSeidon that siphons credit card data from point-of-sale devices.  In this case, it also grabbed the biometric data too.

In my eyes, the fault lies with Avanti and their terminals, and/or the third-party vendors that distribute and maintain them.  That being said, while everyone is looking for someone to blame, the bigger question and picture here is that of you, the consumer.  How do you protect yourself? How do you avoid these problems?  Unfortunately, it is a question of your own risk management.  I write articles all the time about the best practices you should have to protect yourself, but the fact remains that when your data is in someone else’s hands, you lose control.

My advice this week, do the best very best you can and be careful!  If you are an Avanti customer, follow the advice on their public statement and start monitoring your credit and close any accounts you may have used with them, or at least have your card reissued.

As always, if you have any questions or need help with anything, we at Cyber Watchtower are here to help you in any way we can.  Please contact us and let us help you.

Stay connected.  Stay safe!

Austin Bynum
Chief Watchman
Cyber Watchtower