Hackaday Interview with Amal Graafstra, Creator of xNT Implant Chip

Near Field Communication (NFC) enabled devices are starting to appear in our everyday lives. Shown in the picture above is the xNT (fundraiser warning), a 2mm x 12mm fully NFC Type 2 compliant 13.56MHz RFID tag encased in a cylindrical Schott 8625 bioglass ampule. It was created by [Amal Graafstra], who therefore aims to produce the world’s first NFC compliant RFID implant. The chip used is the NTAG203, which is (for the sake of simplicity) a 144bytes EEPROM with different protection features.

We can only start thinking of the different possibilities this chip will create in the near future, but also wonder which precedent this may set for future NFC enabled humans. Embedded after the break is the presentation video of xNT but also an interview I conducted with [Amal Graafstra], who has already been living for 8 years with RFID tags in each hand.

[Mathieu] First, we’d like to wish you all the best for your campaign, and it seems you’re already on the right path as you’ve just gotten $2k5 of your $8k goal on your first day.

[Amal] Thanks! We’re quite open about most of our R&D projects, and I know several people have been waiting for the xNT. They certainly came through at launch time. The tough part now will be to gather the remaining necessary backers, many of whom may be new to the entire concept of an implant.

[Mathieu] As mentioned in your video, you’ve been living with NFC chips in your left hand for 8 years now. Is it something you often ‘show’ to people, and what are their reactions?

[Amal] The chips I implanted back in 2005 are RFID technologies, but they are not NFC compliant, meaning they do not conform to NFC Forum standards. The xNT is the first NFC compliant implant available, which is why we’re so excited to see the campaign succeed! To answer your question though, most people don’t even know I have any RFID implants, and I don’t bother showing them off anymore. Most people find out when I use them to get into my home, or to access my datacenter or unlock my car. If they are paying attention, they will notice I don’t have anything in my hand and they will ask “hey, what just happened there” and I’ll show them and explain. When introduced to the concept in that way, seeing a useful application of it before contemplating the implant itself, most people are receptive and can see the usefulness. If I tell someone about it first, their reaction is usually a squeamish look on their face and sometimes a negative comment.

[Mathieu] Many of our geek friends at Hackaday are very interested by this technology, but are afraid to put it under their skin. What in your opinion could make them take this step?

[Amal] Back in 2005 I had several doctors as clients, and I consulted with both a cosmetic surgeon and my family general practice doctor about the device and the location I wanted to implant it. Both agreed it was a very safe place to install one of these devices, and both performed the procedure for me without hesitation. Since getting my implants, I’ve worked with hundreds of people also interested in getting an implant. I started Dangerous Things in order to control the materials processes involved to ensure the tags we sell are made with biocompatible glass and internal resins, and all components are bio-safe. Of all the people I’ve helped or sold implants to, I’ve never heard of any tags that have been implanted in the correct location (webbing of the hand) and in the proper orientation (parallel with the metacarpal) ever breaking or causing a problem. I’ve worked with doctors and body piercers to place these tags under the skin, and we’re building a partner network of professional body piercers to increase access to a clean studio environment and professional installation services. We offer procedure guides and phone consultations for piercing professionals who are installing for a Dangerous Things customer. Additionally, the implants are MRI safe, so getting one will not exclude you from medical imaging procedures.

[Mathieu] In your experience, are technical people less reluctant to try this chip than non-informed persons?

[Amal] Most of the time, people without a technical background will have misconceptions about the technology which lead them to believe that it is capable of doing something that it can’t. The most common misconception is that it can be tracked in real time by a 3rd party, like a GPS enabled device might be. Another common reason non-technical people are reluctant to entertain the idea of an implant is the lack of cheap, simple commercial products that work with the implant. When I got my first EM4102 based 125khz implant, the NFC standard was not published and there were no devices. This lack of standards meant you’d have to buy an expensive commercial access control system or you’d have to build solutions yourself. I ended up building my own solutions, as did many other hacker/hobbyists. The good news is, with NFC standards growing in popularity, commercial devices and systems based on NFC are now becoming available and a non-technical person can easily begin to integrate NFC into their daily lives without needing to solder it together themselves.

[Mathieu] The chip that you offer to put under the skin can be reprogrammed at will but has a unique 7 byte serial number, which may arise privacy concerns. What will you do with this information? Can we trust you? Do you think you’re setting a precedent in the history of NFC enabled humans?

[Amal] The 7 byte UID programmed into each NTAG203 chip could be a privacy concern if people used their tags with systems that are outside of their control. For example, if a person enrolled their implant with an access control system at their work or school, then every time they entered the premises by using their implant, that access even would be logged. But, the reality is, this is always the case when you use an access card, so there really is no difference having that access card under your skin instead of in your pocket.

The real question being asked about privacy revolves around consent – can someone read it, from a distance, without your consent. While it is technically possible someone could build a large, high powered antenna loop to pick up tags from a distance of a few feet, it’s not practical and not at all likely. Magnetically coupled data transmissions from passive tags don’t work like typical electric field radio emissions, and it becomes very difficult to generate a stable magnetic field that is large enough to envelope tags at a distance while maintaining the integrity and sensitivity required to communicate with those tags. Furthermore, the context in which you use your tag matters. If someone were to set up a large antenna loop somewhere and skim tag IDs of people walking by, in order to do anything with that information they would have to figure out who you were, how you used that tag ID, and plan an attack on you specifically. Unless a person were to use their implant to gain access to a bank vault or another target that an attacker would want to get into, it’s just not very likely. On the other hand, attackers who set up skim points to pull credit card data from RF enabled cards don’t need to know anything about their victims in order to go use that skimmed data to make purchases. Context matters.

[Mathieu] Did you try different antennas to see how far you could read the chip from?

[Amal] I’ve tried various antenna configurations with my 125KHz tag because low frequency works better than 13.56MHz high frequency tags when implanted into the body. The best range I could get using a high powered antenna loop coil that was 2 feet (~60cm) in diameter was about 1 foot (30cm). Typical read range of a 2mm x 12mm 125KHz tag using conventional readers is between 1mm and 2cm, depending on the reader and antenna configuration.

[Mathieu] In your opinion, can this chip be used to implement simple authentication on everyday devices?

[Amal] The xNT is well suited for simple authentication systems. The user memory space can also be used for NFC by storing an NDEF record, the latter portion of the user memory could also be used to store rotating one-time keys to help secure custom security systems. In a typical skim attack, an attacker that is able to read a tag’s UID bits and memory contents without consent would be able to emulate that UID and memory contents to the target reader device. In this scenario, the attacker gains entry and the victim has no idea anything is wrong. The attacker could come and go as they pleased without detection. By using a rotating key, each time the potential victim uses their tag the reader updates the key. This means two things; 1) the attacker has a very limited amount of time to utilize their attack. If the user were to return and use their tag before the attacker had time to execute an attack, the attack would fail. 2) the victim of a successful attack would not be allowed access due to a bad key on the tag. This would alert both the victim and the system administrator to a potential attack situation, which could bring up surveillance video of the current attempt and the last system access made by the attacker. Detecting an attack after it has happened is just as important as preventing one. Of course, there is no such thing as absolute security, and there are attacks which could be executed against a rotating key system, but again context is what matters. Typical users are going to be using the xNT for residential home access type projects, and I think if someone wants into your home that badly, they are much more likely to break a window or use some other, more conventional method.


  1. elecaddict says:

    I see Big Brother coming closer to his goal……

    • Greenaum says:

      Exactly… once someone invents something like this, some butthole makes it compulsory for people. While scientists can’t fairly be given responsibility for the behaviour of society, politicans certainly won’t accept it, nor will the rich and powerful.

      This is a world with very bad people in it who are very powerful, and unfortunately many ordinary people are bloody stupid. While it may not be Einstein’s fault that Truman nuked Japan, he often regretted ever writing him the letter that started it off.

      Nuclear bombs are a big issue. The countless ways people are abused every day are small and plentiful. If something has a likely use in letting bastards make the world worse, you shouldn’t invent it. The “convenience” of being able to open his door or start his car without the key or whatever, really doesn’t make up for the massive evil applications this thing has.

      And that’s without mentioning the thieves who cut people’s fingers off to get past biometric locks. Yeah, “still being attached to my wrist detection” comes in version 2, no problem, I’ve got one just like it on the other arm anyway, I’ll be fine.

      • Spider says:

        “If something has a likely use in letting bastards make the world worse, you shouldn’t invent it”

        So based of that statement computers should never of been invented then, or the internet, or cars, insert invention here. The point im trying to make is anything can be used to make the world worse, or for evil just like it can be used to make the world better or for good. It just depends on the persons motives that is using it…

        • PedantioReguloso says:

          For that matter, let’s take it all the way back to fire. Not an “invention”, but I think the point still holds.

        • Greenaum says:

          It depends on the balance. If something has plenty of good uses, then maybe leave it up to society. I can see no real problems that this solves, and absolutely tons of bad uses for putting chips in people’s skin.

          Of course it’s people who are good or evil. But there’s a reason somebody invented child-safety covers for electric sockets. Some people shouldn’t be given certain choices, or opportunities, and you can’t control who that is.

          You know the sort of people who have power in our society. You vote for ‘em, but would you let them babysit your kids? Or marry your son or daughter?

          • Spider says:

            The problem i have is i dont see it as a device for “big brother” to spy on us. I mean there all ready doing that, they have easyier ways to do it then making everyone place an nfc chip in there hand, and then “big brother” would have to install devices all over the place that can read the nfc chip when ever you walk pass, its not just like they can go “oh look he has an nfc chip in his hand, lets boot up our special super computer and enter a few commands to see what he/she has been doing”

            “Big brother” is all ready doing this, well when i say “big brother” i mean the NSA, it wasnt that long ago that it came out that they had access to google/facebook/insert company here servers and were mining data off them. Its actually funny i read an article this morning that said it has now been found that the NSA has tapped directly into the fibre cables coming into this big companys to get the data they are after, so i really fail to see why an nfc chip placed in someone hand is going to allow “big brother” any more power in monitoring its people when there is all ready technology out there that enables them to do it , and a lot easyier then an nfc chip, and they do use it.

            My problem with this is its security, i mean how secure is this in all reality? I have a bank card that has an NFC chip in it that allows me to just wave my card for payments (all the banks in australia forced this technology onto there customers, there is no opt in or opt out for it), the problem with this is all it takes is for someone to sit on a busy train all day with a device that can read these bank cards and everytime someone walks pass them they take a little bit of money off the card.

            Im not concerned with “big brother” with this, but more on how secure it really is.

          • PedantioReguloso says:

            “It depends on the balance. If something has plenty of good uses, then maybe leave it up to society.”

            Okay, so what’s the ratio of “good” to “bad” uses required to reach said balance? Is balance thrown out once the “plenty” threshold is reached? Are “good” and “bad” absolutes, or is there a rating system? Who makes the final call on these details? Is there a UN governing body, or does EACH INDIVIDUAL CHOOSE WHAT IS BEST FOR THEMSELVES?

          • Greenaum says:

            See, of you’re not a fan of gigantic governing bodies, and appreciate individuals choosing what’s best for themselves, then giving people implanted serial numbers is something you should probably be against.

            Imagine a bad government. With this, you’ve no way of “forgetting” your ID, no way of faking or changing your own. You’re identifiable in a database, connected to countless other databases, by any government officer who can get near your hand. Once this thing’s in him, an individual has no choice as to whom he shows his ID. Imagine the hippies in the 1960s, burning their hands off to protest the war in Viet Nam!

            Sometimes good people need to break bad laws. It’s seen as just, historically. I’m sure you can think of a dozen places in recent history, and even now, where the government really isn’t one’s friend, and it might be lifesaving to be able to sneak around.

            It’s just that this thing makes a no-contest of the whole thing.

            As to who decides? Well, I do. I’m here complaining about it now. I have lots of opinions I might share with the world, as does everyone else. Would you want them all stamped with your Social Security or driving license number? Every company and agency and even charity beggars in the street, all bleeping your right hand to have access to your life and identity?

            Soon enough you’ll have no choice, credit card companies would love the money this saves them. There’s a million uses for this that would advantage whichever organisation, whether I like it or not. All it takes is enough chips in enough hands before it’s impossible to live without one. And shit… I’ve ended up turning into St John the Divine and I’m a bleedin’ atheist.

            The people who choose are, as ever, the people who CAN choose.

    • mark says:

      While you might think he is the creator of this tag and technology, we did this same thin back in the early 90′s in a partnership with Mars Electronics. Our tag was a read-only designed to be implanted in salmon and used to track them as they wouls swim upstream through fish ladders. Big brother coming…..yes and it is scary. An earlier version of the Obamacare bill talked of requiring this…….

      • Amal says:

        1) nobody said this was new tech. the new part is that this tag is fully NFC compliant. 2) big brother = wtf?, 3) have you read the healthcare law? oh, you haven’t? let me educate you; it makes mandatory a registry for medical devices and implants… MEDICAL devices, like pacemakers, brain stimulators, etc. don’t be a dolt, do some reading.

      • sweaver69 says:

        Amal developed this device. A type2 nfc tag encased in glass for implantation.

    • iamnotachoice says:

      It was all decided in this meeting between the WHO and the NSA where the NSA said: “Hey, let’s put tracking thingystuff on peoples mobile phones to fight terrorism” and the WHO was like “we better put them in their blood and fight cancer” and the NSA was like “oh cool, but then we don’t know if they came in contact with any terrorists” and then they ended up putting them in peoples genitals. ^^

  2. KC2YXU says:

    No thanks.

  3. BQ says:

    yea.. no.

  4. 0xfred says:

    Nice. I thought about getting a 125kHz RFID implant a few years ago and building a home RFID lock. Unfortunately my work pass that I use every day is a non standard Paxton system. I decided that it would be too annoying still having to carry a similar RFID card.

    Maybe NFC is enough to tempt me. I still won’t be able to get into work, but it might have enough uses to be worthwhile.

    • Greenaum says:

      Still, put it in your watch or something. Maybe a ring. If you lose it, just cancel that chip and explain to your wife where your wedding ring went.

      • JL says:

        I’ve had one in the wrist band of my watch for a couple of years that unlocks my car and house. Actually I’ve had two because the first one got smashed when I picked up a test fixture at work (1/8″ Aluminum plate) and the corner pivoted into the capsule. Up until that point, I was planning on getting one implanted in my hand…

        • Amal says:

          JL, if you’re worried about breakage while implanted, check out our Facebook page for a post about a possible breakage case. If implanted in the correct spot, the tag is fairly well protected by flexible, fatty tissue that gives way to blunt force. Without this, the glass is quite vulnerable to heavy sharp objects like aluminum plate. http://www.facebook.com/dangerousthings

  5. six677 says:

    I’ve played a little with NFC recently. Wicked tech although all of my tags (1 university access card, 1 keyring and 5 stickers) are Mifare Classic 1K chips with as the name suggests 1kb of *non formatted* data, think it ends up being about 750bytes in the end which is considerably more than the xnt implant.

    Security wise, my phone can read my university access card without fault, slightly worrying, the card duplication app I tried though failed to read my card (only app that has so far, only duping app I have attempted) yet was able to dupe a tag I created myself, dont know if there is some trickery going on there.

    • asm-wolf says:

      Does the app that you are using to duplicate the card know the sector keys for the card? This may be why it fails to clone it. I assume the tag you made uses NDEF keys, so the app probably has those stored already. Also, does the app clone the mifare sectors directly or just the NDEF data?

      If you want to clone the card and do not know the keys, you might want to look into MFOC. Of course, only do so with permission!

  6. SparkyGSX says:

    implantable NFC tags, containing chips designed by the company that brought us MiFare! What could possibly go wrong?!?

    My new get-rich-quick scheme is selling tinfoil gloves.

  7. Hello says:

    Hope they make it with the campaign but I can’t see the real benefit of such a device (novelty aside). Sure from a body mod/tattoo kind of viewpoint it makes sense, you can yolo it and realise some sort of benefit. But as mostly happens to be the case with such things, it is easy to get but hard to get rid of. Now couple the above with eventual obsolecense and the fact that you will need to carry a keychain anyway for “non-compliant” everyday locks. Not to mention deeply massaging RSIed hands now seems rather troublesome. Maybe there is more to it but i can’t grasp it.

    • Ryan Mitchell says:

      As someone with a chip, you’re totally correct.
      They are just a novelty; I like giving someone my contact info by tapping my hand on their phone or laptop. There’s nothing more to it.
      And they’re not that hard to get rid of, unlike the pet chips they don’t use a “Biobond” coating (Flesh glue), so all it takes is a needle sized hole to slide one out.

  8. Nater says:

    That is so great. Imagine the endless possibilities: E-commerce possibilities where we could eliminate identity theft, counterfeiting, monetary theft, etc. We’d definitely need to standardize this–insertion in the right hand (or forehead for those that are missing or have significantly deformed right hand), make it so all have to get one and so no man might buy or sell, save he that hath the mark … oh wait a sec.

    : )

  9. Theodore says:

    Why not use rfid ? It has more range than nfc .
    Also what about the risks . .
    Lets say that is comonly used after some time passes you will be
    tempting a possible burglar or a thief to harm you in order to steal your stuff .
    Isnt it something to be concerned about ?
    Anyway its a great idea though ,good job guys …

    • Amal says:

      Hi Theodore,

      The xNT is an RFID tag. It complies with the ISO14443A standard. All passive NFC tags are RFID tags first and foremost. When it comes to passive tags, NFC is simply a standard laid down over certain types of RFID tags. The world has been using ISO14443A tags for a long time before NFC came along and dictated how to arrange the memory contents of said tags in order to be “NFC Forum Compliant”.

      The idea that these will be ubiquitous enough for burglars to consider the implant as a possible attack vector for the common victim is just not likely. Unlike other commonplace technologies, this goes in your body. Typically the only people interested in implanting an RFID/NFC tag are those with a grasp of the technology, who are capable of building their own solutions, This is hackaday type stuff, not something you’ll see hanging off the impulse buy rack in the checkout line at the local grocery store.

    • Greenaum says:

      I’ve just predicted the rise of “handshake bandits”, who run evil software on computers up their sleeves, or in their hands or wherever, to rob your bank accounts and stuff. Always remember! Don’t shake hands without a glove! No glove, no polite greeting.

  10. I also have 3 RFID implants a 13.5khz ( the same as what is used in pets) and a EM4100 125khz that I use for my office/shop/home.
    That one wasn’t made for implantation but a 5 min treatment in a acid bath to etch the surface. Solved that problem.
    If I implanted it as is it would have traveled from its intended location and ended up who knows where.
    With the etching the sub-facia will grow around it and lock into place. ( itches a bit)

    All of the above impacts are 2mm X 5mm

    The largest implant a Exxon speed pass.
    Also acid etched. 4mm X 13mm it fits perfectly in between the 4 and 5th Metacarpals on top of the hand.

    The only issue I ever had is that there is a nerve that is near the implant and if something
    strikes the implant at the correct angle it causes a bit of discomfort like hitting your elbow.

    Recently I have forgotten my wallet and had to drive to a work site that is over 200mi away and thankfully I had the implant and was able to get a tankful of gas and some snacks.

    and I love the puzzled look on the gas station attendant when I paid for the gas and snacks with a wave of my hand. LOL

    I like the fact that the speed pas has no personal info on it.
    only a code that is recognized by the server in the cloud some where and that then in turn approves the purchase with the credit card I have on file.

    The others also have no personal info, only codes that have no meaning or use outside of my access system, That requires a pin code with the tag.
    So just having my code on the tag isn’t enough to get you into my areas.

    • Dielectric says:

      Serious question: did you implant those yourself, or is this a standard service at like a body piercing place? I’m pretty sure this isn’t covered by my health insurance…

      • I do recommend that you find a professional to do the implantation of the devices.
        I.E body modification, piercing ect ect.
        Since I have access to medial equipment and have some medical training.
        I was able to do this my self.
        The smaller devices are implanted via a 10g needle injector and doesn’t really require
        any anesthetic. But the larger one required a 5mm incision and some derma bond to close the wound.

  11. Grumpy Cat says:


  12. Critique 101 says:

    99$ for a chip worth 5$ ? The chip in my hand is laughing right now. There’s no novelty here, it ain’t a USB thumbdrive, it ain’t coming with dedicated readers or hardware packages to automate your unlocking desires,it ain’t cool in my honest opinion.

    Get me an RFID chip on 13.56 or 125 that has 2gb of memory, or a complete community gathering website (arduino like) for rfid implant related hardware/software and there I’d be happy reading about it.

    HaD, on this article, I think you’ve wasted my time for nothing really new (wooooot he changed the frequency to NFC’s….yay,) and I’d like to mention you don’t do that very often!

    • Amal says:

      Is your tag fully NFC compliant that will work with all NFC enabled mobile devices? Also, moving 2gb over 13.56MHz would take a very long time indeed, making the concept of a large storage capacity NFC compliant implant essentially useless. We are also planning on offering more RFID implant related hardware and software via our website and our github repo.

  13. Ellipsis says:

    Can this implant be used to pay for anything in the UK?

    • Unless there are Any Exxon or Mobil petrol stations over there then no.
      The speed pass only works at those locations.
      I chose the Exxon speed pass because it is already implantable.
      All you have to do is to harvest the glass ampule from the speed pass
      key chain token.
      And no personal information is stored on the token.
      and you can tie the token to any credit card or bank debit card.
      I have complete control over the use of the token.
      I will never forget it and if something really bad happens to me
      and I can not be identified, hopefully the medical examiner will
      find the implant.

  14. Haha wow, I’m always surprised that supposedly technical people still do not gasp the simple fact that when it come to technology like this, fear of “big brother” is down right laughable. Why would any government who clearly already has full access to your phones, your internet, your bank accounts, and both public and private security camera systems world-wide even want to bother enforcing some kind of barbaric mandatory implantation requirement of a technology that can easily be blocked, removed, or simply subverted? Oh, let’s not forget all those tags and access cards you already carry around with you, which have a much greater read range than the xNT… are those being used to remotely spy on the public? No, they aren’t.

    The xNT is a simple NFC device based on the NTAG203 which enables people of sufficient skill to create their own projects and solutions… you know, fun electronics stuff? The added benefit of the xNT is that there are commercial devices coming available that support the ISO14443A standard, like the Samsung Ezon electronic deadbolt.

  15. Truth says:

    Me personally NO. I like that thieves currently do not start cutting me open or lobbing bits off me to rob me.

    • Amal says:

      How would a random thief even know you have one of these implants? I think most thieves would do what thieves do – demand your wallet and/or cell phone.

      • Trui says:

        How would a random thief even know you have a wallet and/or cell phone ?

        • Amal says:

          Come to think of it, how would a random thief even know you weren’t an ethereal figment of their imagination?

          • Trui says:

            You’re not being serious. Probably because you’re not getting the point. If these implants will become ubiquitous, a thief will know you have one, just as a thief knows you have a cell phone or a wallet. If these implants do not become ubiquitous, that means there’s also no infrastructure for reading them, and that means there’s no point in having them implanted.

          • Amal says:

            I get your point, it’s just fantastical to think they will become ubiquitous. Take a look at tech trends… biometrics are the future oppressive technology you should be fearing, not this. Biometrics allow users to be enrolled into databases without their knowledge or consent. Just walking through a tube station in the UK gets your face and gait analysis patterns logged for years. Once enrolled there is no way to opt out or ever be sure your biometric data has been removed from that database… and changing your fundamental biology is a bit tougher than removing an RFID implant, Look at the iPhone… it has an absolutely amazing RF based biometric “fingerprint” scanner that can uniquely identify any part of your body that gets pressed up against the sensor (not just fingers). Expand this to cars, homes, etc. and you have a system that can uniquely identify you just by touching a door knob. Biometric technology like this is progressing at an alarming rate, yet you are myopically focused on RFID because it’s a tangible shiny object you can theater your fears to while the true horror is lurking in plain sight. In short, your point is moot because there is simply no chance in hell an implant like this will become commonplace, ubiquitous, or mandatory.

          • Amal says:

            To address the second aspect of your post regarding the lack of a ubiquitous framework of readers. For the layman, sure, there is no point in getting an implant, but these implants are not for the layman. There is still a point for those individuals who have the intelligence and technical skill to 1) understand the technology they are implanting, and 2) build their own solutions that utilize their implant. Lack of ubiquitous infrastructure becomes a positive at that point.

          • Trui says:

            I’m not myopically focused on RFID at all. I don’t want *any* biometric technology used as an *authentication device*, including artificial biometrics such as implantable devices. If I’m going to carry an RFID device, I prefer it was just in my pocket, so that it can be invalidated and replaced when it’s stolen. Privacy is also not my concern, since it simply doesn’t exist any more.

          • Amal says:

            Fair enough.

          • Greenaum says:

            Saying “look at all these other horrendous invasions of privacy” doesn’t really let you off. If they bother you, too, why are you adding to them?

            It’s been possible to implant chips in people for a while now. But so far THEY haven’t realised that! So shut up, and if you must do stuff like this, act like an eccentric so the idea doesn’t wake up in their heads. It just needs some bright Steve Jobs type character to realise how much money a contract to implant a whole population would be worth, and then slip a small proportion of that into some politician’s pocket. This is shit we all know happens all the time.

            You can’t deny the world’s already full of evil old fuckers, gladly abusing the weak and poor for their own benefit. And it’s getting WORSE! Now’s not really the time to be facilitating more privacy threats.

          • Amal says:

            You seem to forget, some “Steve Jobs” type (minus the cancer) already tried to get exactly those contracts you mentioned. VeriChip corp (now PositiveID) tried convincing the government to implant soldiers, immigrant workers, etc. and also tried selling their implant to the healthcare industry. The idea failed. They no longer sell the VeriChip. The failure to sell the government was due in part to the fact that an entire RFID implant system was too short range and too invasive… whereas the government’s current projects based on iris scanning at a distance (ala minority report), gait analysis, and other biometric systems could be deployed without surgery or the person’s knowledge they had even been enrolled in such a system. YOU ARE BARKING UP THE WRONG DAMN TREE MAN.

    • Skimming the code from my implant or hacking off my hand won’t work with either the speed pass or my other em4100 tag, Simply for the fact that the speed pass requires me to enter a pin code and so does my card access system.

  16. TehMeh says:

    soo… someone sees you drive up in a nice car, then poses as a vendor/signature gatherer and hands you some pamplet while an antenna up their sleave reads your implant. Then they go steal your car by impersonating your device. What could go wrong?

    • Amal says:

      Haha what are you talking about? No random attacker will ever know either of the following facts: 1) that your car has been updated by you with aftermarket parts to work with your implant, or 2) that you even have an implant.

      Also, most nice cars already use an active keyfob that readily transmits it’s data several feet so you can just walk up and press the “unlock” button on the back side of the car door handle, then press the “start” button to start the car, all without taking your key out of your pocket. This system is far more vulnerable to attack than an implant system simply because it broadcasts its signal to everyone in the vicinity.

    • gimple says:

      Very little. Copying NFC signals is way, way easier than beating WEP.

  17. apex1302 says:

    to become a success it should have 666 bytes. The warning about this kind of technology is about 2000 years old.

    Revelation 13
    16 And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:

    17 And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name.

  18. Ryan Mitchell says:

    I wonder what the difference between this and the xM1 I bought a few months ago is?
    Doesn’t look like much, I doubt it would warrant a reinstall.
    Just checked the spec sheet, just looks like full NFC compliance.
    And I’m not sure if I read that right, but it also looks like it only has 160 bytes of memory, that could be a problem for some. (Mine has 700)
    As for the
    “If someone were to set up a large antenna loop somewhere and skim tag IDs of people walking by, in order to do anything with that information they would have to figure out who you were, how you used that tag ID, and plan an attack on you specifically.”
    thing, I know some people (Including myself) keep their contact info on it, so that might be a problem for those that use the chip alone for security.

    • TehMeh says:

      And ballot signature collectors that seem to have some legitimate purpose for both handing you something (comming within inches of your implant) and collecting your infos?

      • Ryan Mitchell says:

        I’ve never really thought about that before…
        I thought about the idea of it, but not the way you suggested.
        I’d say with only a couple of thousand (voluntarily) chipped worldwide that it’s not a problem now, but I’m sure that will change.
        I guess I’ll just ware tinfoil gloves then.

        Congratulations, you just convinced me to take my address off my chip.

      • Amal says:

        What are you talking about with the ballot collectors man? The number of people in the world who actually know anything about these implants is so miniscule it’s preposterous. Lower still will be the number of people who actually have implants. It’s a ridiculous idea to think any random attacker is going to be trying to skim people’s info through a nefarious handshake. Chances are, there isn’t a single person in their city who even has an implant.

        By the way, don’t you have to give your name to vote, or sign the outside envelope of a mail-in ballot anyway? I’m so confused by your argument.

        • sf says:

          So targeted attacks against specific individuals don’t exist in your world?

          • Amal says:

            Yes, of course, but read the interview above… context matters. With the types of use cases typical of an implant user, who would bother? Absolute security is impossible, but the more hurdles you create for someone to attack a low value target, the less likely the attack vector is. I use my implant to get in my house but I still have to enter my pin code to deactivate the alarm. Don’t use your implants to guard a bank vault or log into the CIA and you’ll probably find criminals prefer less technical means.

    • Amal says:

      Hey Ryan,

      Yeah the xM1 is based on the Mifare S50 1K chip which is not fully NFC compliant. For people who want to build their own applications and forgo full mobile device NFC compliance, the xM1 is a great option. The xNT is for people who are mostly interested in exploring the NFC space. Both xM1 and xNT are ISO14443A compliant so they will both work with devices like the Samsung Ezon deadbolt and any ISO1444A capable reader.

  19. Jehu says:

    I’d hate to have one of these and have an induction cooktop at home. Would have this rather horrible burning feeling in my hand every time I cooked dinner. Humm, might be handy for crowd control. Point a HFRF device at the crowd you want to suppress and watch them grip their hands in agony. Saves having to use water cannons. The riot squad would love it.

    • Ryan Mitchell says:

      I’d like to test a chip with one.
      I’m not sure if the antenna is frequency specific, but I know the chips are.
      As for the crowd control thing I’m sure that if you ran too much current through them the chips would fry, so they’d have to get re-chipped, but I’m sure they could put a dummy antenna in them for just this purpose.

      • Amal says:

        Yeah, the chips have an overcurrent protection diode. If you pulse them they will burn out but they will not heat up or explode. So far though I’ve not heard of any problems, and I’ve been up close and personal with a Tesla coil without any issues. People have even gotten MRI scans with them installed and reported no problems.

    • Amal says:

      Sorry to dissapoint you, but I’ve actually tested this with a two different induction cooktop systems. I tried to burn out or otherwise damage an xEM tag (125KHz) to no avail. I also tried to burn out an xM1 (13.56MHz) tag and got nothing. I tried placing it over the inductor alone and next to and inside of an inductive cooking pot while operating and still nothing.

  20. ATC says:

    and if you chake another hand they communicate with each other…

  21. Galane says:

    128 bytes of memory? Why so little?

    Copying data from these wouldn’t be any harder than cloning an RFID card in someone’s wallet. https://en.wikipedia.org/wiki/Tiger_Team_(TV_series)

    • Amal says:

      The typical use case of the memory space is to write an NDEF record on, which is usually a URL but can be other mime types. Alternately you can store your own application data on it.

  22. Rob says:

    People dealing with techs like this are morally equal to those burying mines in farmfields.
    I wish them nothing but exit(-1);

  23. parko says:

    well the first 3 comments covered my opinion, but regardless…

  24. They are a type 2 nfc chips,then it is possible to read\write them multiple times, isn’t it?
    Are there any standard security techniques, relying on the capability to be written multiple times, that could make an access system based on these chips more secure?

    • Amal says:

      each memory block can be written up to 100,000 times and read an infinite number of times. as outlined in the interview above, typical methods for adding a layer of security on simple devices like this include the use of rotating keys that update each time the tag is used.

  25. Ellipsis says:

    How many writes does one of these have?
    You could probablly really annoy someone with one just by using them all up…

  26. NothanxNSA says:

    Just seeing a picture of a RFID chip next to social media icons is enough for me to condemn this type of research. Last thing we need is a personal second to second invasion of our privacy.

  27. KleenexCommando says:

    I guess if you NEVER had to interact with anything in public, skimming wouldn’t be as big a deal. Why would I bother with a large power loop antenna when a door handle on a building or a handrail on some stairs would be a lot better at passively skimming? a camera records your face and other information about you when it gets a “hit” from the antenna. And if you are a “good” bad guy, you really do want to know your mark…
    People have gone to greater lengths to install skimmers on ATMs and even fake ATMs themselves… Also, your looking at this as something of a novelty at the moment. All kinds of technology we looked at in the past as a parlor trick is now common. Why would I, as the average joe have a credit card that I could forget or lose when I could have it implant? Not only would the bad guys want to start skimming for implants, it may get to the point of being pointless not to. My thought is that I kind of like the idea that I can “lose” or “forget” my credit card or cellphone quite easily when it suits me. Sure you can yank these out of your hand, but not as painlessly as simply leaving my cellphone and wallet on the night stand. Hand over my wallet or my whole hand to a mugger? eh… I’ll keep my hand, thanks.

    • Amal says:

      You have aptly demonstrated exactly why your own argument isn’t really valid. Yes, people install skimmers at ATMs… why do they do that? Well, because you don’t have to know any of your victims because 1) the ATM is a common platform that works the same way everywhere, 2) your victims provide PIN code and skim data at the same convenient location, 3) once the data is gathered, the attacker doesn’t need to know anything else about their victims to use that data at any ATM in the world,

      Also, why would the average joe consider implanting their credit card? They wouldn’t. If they were technically inclined, they would likely use some form of NFC wallet on their mobile phone. Even if 1% of the world’s population (~70,000,000) implanted their credit cards (currently not possible anyway), this would still not be broad enough target for attackers when simple ATM skimmers are doing the job quite nicely. Currently, I would guess the world population of people with implants sits around 1000 or so… and those implants vary in air interface, standards, and use cases.

      Finally, have you ever tried to implement a door knob scanner for a 13.56MHz 2x12mm tag? It’s actually a difficult challenge to get a decent read from a few mm away, let alone the several centimeters necessary to over come in a door know scenario. Embedding a reader into a typical metal door knob is also a bad idea. I guess I’ll be keeping an eye out for plastic door knobs.

      • six677 says:

        I only have MiFare Classic 1K tags, close enough. Just sticking one on the side of a pepsi can meant that I had to place my phone in direct contact before I could read it, normally I can have the tag on the table, place my hand ontop, phone ontop of that and read through my hand. I agree, metal door knobs probably wont read tags nicely.

  28. Adobe/Flash hater says:

    Amals defenses Sound a lot like the reasoning of (long ago passed),local car dealer here
    who wouldn’t by an ad spot on a local FM radio station.

    safety/security by obscurity seems to fail to technology creep or become a mute point through obsolescence.
    horseless carriages.
    home radio recevers
    (AM bands only, at first…
    Land line phones.
    Television sets.
    personal computers.

    you seeing the patterns yet?

    I might have tried to write a more detailed and perhaps convincing
    remark here.
    But it’s like reading and editing
    on a cash registrar tape
    while looking through a keyhole.

    something about the
    current page layout
    isn’t making my
    user applied browser settings happy :(

    • g2-0657d6529c54c3bdd0ee0abe1f75010c says:

      Your message is difficult to understand. Are you trying to say that obsolescence is a problem? You can always remove the tag with very little effort.

      Security through obscurity is only an issue if this is the only thing you are using as a security factor. This would allow very simple three factor for logging on to a computer, for example. Even if someone was to get your password and username, they would still need your tag to authenticate. This isn’t a replacement for other measures, it is an additional method to authenticate.

  29. CorrosiveOne says:

    To everyone going on about big brother….

    Amal didn’t invent NFC tags, he also didn’t invent the idea of implanting them…
    The government has been doing this in the medical field for a few years, and vets have been doing it even longer… It’s nothing new.

    Amal’s tag does however work better with devices like your phone which are expecting a flat tag, most implantable tags don’t like NFC.

    There are good and bad uses for almost anything, give the guy a break.

    • g2-0657d6529c54c3bdd0ee0abe1f75010c says:

      With the publicity he’s had in the past, I am sure he’s able to deal with all the superstitious people who posted above. I really am surprised that HAD has so many. And the people just saying “nope” like anybody else cares what products they aren’t going to buy.

  30. g2-0657d6529c54c3bdd0ee0abe1f75010c says:

    Luddites. Luddites everywhere.

  31. stefan says:

    Little girlllllli, your on the way’sgoing to 666… you choose the wrong way….
    Stefan from holland

  32. h3ll0_w0rld says:

    This could be a step in the right direction for a lot of technology promoting ease of use but the glaring problems with its lack of security worry me.

    My biggest problem is all of Amal’s arguments on why this isn’t vulnerable to theft of information seem to revolve around: “No one knows its there, you’ll be fine.”

    I can already hear every security professional in history turning in their graves..

    • I don’t think I’m arguing that there is no threat or possibliity that your UID or tag data could be read and emulated. It can. What I’m saying is that 1) it is more difficult to read than a typical keyfob or access card in your pocket or wallet, and 2) the context in which you use your tag matters. Access cards are often issued to people for their job, and firms with access control systems may have targets inside that someone may want to gain access to. Attacking an access card in someone’s wallet is much more likely and has nothing to do with the person carrying the card and everything to do with the access target itself. Most people will be building their own solutions or deploying solutions for their homes and personal projects. I don’t think a hacker is going to care to read your tag just to get into your RFID enabled beer fridge. I’m not saying it’s impossible, just not likely is all.

      By all means, people should be aware that these tags are not secure, so they need to judge for themselves how best to utilize the technology and what they feel safe deploying.

  33. Fernie says:

    it would be a shame if someone would destroy your implant… =/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s