So I finally got the call from a manager today asking if I had a chip inserted and if it was a copy of my ID card.
I didn’t deny it, it is pretty obvious at work when I just beep through doors.
I’ve been told not to use it until they can figure out with IT security if it is OK but there is a policy that basically states access is to be via the employees personally issued access card only. I don’t think I can make the claim that my chip is my personally issued access card, just stored in my hand.
It probably didn’t help when I pointed out that for a government agency with 5000 employees, that is always putting out emails and learning packages on IT security, they are using default passwords on a card system the manufacturer hasn’t recommended as secure for years and I could clone with my phone in less than 30 seconds.
It looks like I’ll probably be told I can’t use my implant for work access which is super annoying as it has been really useful over the past couple of months and I only just learnt where the sweet spot is to get all the readers to work.
That, and the fact your ID card can be made useless with presumably just a click (deleted from the system to deny access) makes it not so much a big deal. If they want to be reasonable they could request you turn in your actual card so there’s no possibility a 3rd party could use it.
For government stuff compliance can be a big deal. Regardless of whether being compliant even makes any sense at all.
Whatever compliance guideline thingymabob they are using doesn’t say anything about implant, therefore implant bad.
On top of that, at least where I live, copying an ID card can be a legally complicated matter. Even if the default password is set.
Particularly in a government context people can get a little bit litigious. I myself have not made an attempt to clone my work badge, because of compliance/legal reasons. Even though technologically it may be possible.
It’s hard to argue with dummies, but I would take this point - the “personally issued access ID” - the thing that gets you in the door - is not a card, but the ID number programmed into the card. You ARE using the access ID that was issued to you. This is exactly the same as giving your driver’s license number or passport number to an agency upon request instead of mailing them the physical item. The important thing is that the ID is yours and you are presenting your issued ID upon request.
You have not violated any security policies because the ID number that was assigned to you for access to the doors is exactly what you are using. The physical card is not the security mechanism being used, the ID number programmed into it is the identifier that was issued to you and the mechanism the door and security system is using to identify you and authorize your access with. The card itself is just plastic and wires… and most importantly, the card is not designed to be secure just like a drivers license can be read by anyone who looks at it. More on this below.
If they can make this small adjustment to their perspective on the situation, you should be fine.
In case they want to make the argument that you “hacked” something… because security idiots and managers always want to make that argument… well I wish you luck because there’s probably no way out at that point… but you should make it clear that the card systems they chose to implement require nothing more than to read the ID… just like reading words off a page… they were not designed to be a singular security solution, they are part of the overall security infrastructure which includes people, cameras, etc. … and just like words on paper, if the intent is for only authorized readers to read, then the cards should be marked with “top secret - for authorized readers only”. To expect nobody to simply read the ID from the card using any $10 keyboard wedge reader they can get off Amazon is foolish.
As for the act of writing that ID to your implant goes, in this context, you also have not violated any expectations - you are presenting YOUR issued personal ID to the door. What would be a serious offence would be copying someone else’s ID and presenting THAT to the door… that is a violation for sure… but what you’ve done is clearly not.
It sounds like a knee jerk reaction to me, and their focus is on the wrong aspect, they shouldn’t be focussing on the fact that you did it, but the fact that you COULD do it, I assume you are a trusted employee who already has access, and you have uncovered an exploit and prevented an ACTUAL threat.
They should be thanking you, not persecuting you.
Amal has offered this in the past to others in a similar situation; I can’t offer on his behalf, but he may be willing to fight in your corner and explain to the powers that be pretty much as he mentioned above PLUS answer any questions they may have AND cut off their arguments before they are even raised.
It was a smart move being upfront and honest when questioned, it shows you can still be trusted, you weren’t trying to deceive etc ( I imagine they would probably already have video footage of you using it, so you have taken wind out of that sail)
Yep, I’ve been very careful to avoid terms like “hacker” or “biohacker” and to explain that I haven’t “hacked” anything or circumvented and password or security measures as the keys were all default there was nothing to “hack”.
Although I do use a PM3 I showed them how I used the freely available Mifare Classic Tool to clone the tag to my implant. I also explained how I never read anyone elses card and didn’t duplicate to a physical card that could be lost or compromised.
I’m currently in the process of writing a bullet point list of facts in and email in which I encourage them to embrace new and emerging technology in order to remain innovative and explained how I am happy to help as well as suggesting wording changes to policy.
Unfortunately they are known for knee jerk overreaction a so I am probably screwed anyway,just not sure how screwed I am yet. Hoping for just a warning and not being fired.
Something to remember is that people assume it’s safe/complex when they don’t know/understand what it is. Same goes with locks … Everyone use kewickset in the us, yet people still break windows to go in …
Pointing how bad their system is is usually the wrong way to handle things in my experience
That is a difficult situation. People get defensive when their errors get point out as well. Its almost like blame shifting, but both parties have to be open minded to come to fair resolution. Otherwise someone is going to get the upper hand (its always the employer)
Had a similar situation at my last job. Government mental health facility using HID tags. They told me I couldn’t use my flexEM anymore and I promptly did it anyway because tbh I wished they would fire me
Hope it works out in your favor! I a flexclass as well as a NExT that are sitting on my desk that I’m itching to get installed (both for work, and hopefully dual the t5577 for my apartment complex) but I’m not sure how work is going to react once the rumors start spreading. Maybe it’ll work out for us both! Best of luck!
I just over-explain and not make it a secret from the outset. While they can fire me for any cause, heading it off from the outset is better than waiting for it to be figured out so they can get all sus on it.
I also take it as a learning experience for them to explain what you did - that it’s inherently insecure and that this is best filed under “keeping honest people honest.” Even some in IT tried the “yeah but we can’t take that back” argument, but I just reminded them that when they disable my regular access card, it disables this since it’s just a clone relying on the same creds.
There’s a benefit to showing someone the facts from the outset and letting them make themselves feel stupid, as opposed to waiting for them to ask, and then feel stupid when you shoot them down.
I was initially open about my chip with coworkers that I trusted when I first got it, but after a while I’ve realized that its best to keep it on the down-low for reasons like this. I tend not to use it in front of others anymore. If I’m within eyesight of someone who doesn’t already know about it, I usually dig in my pocket for my badge, just to be safe.
Best of luck to you. Hope everything turns out alright.
I almost got in trouble at my last job for doing this as well. It was a secure call center with HID badge access at every door inside and out. I didn’t hide it at all lol. Most of the time I presented it to newbies as a magic trick. A group of us went to a training off site and got in trouble for being in an area that we weren’t supposed to. We had to go through a “security refresher” course and my boss scolded me said “don’t say a fucking word about that thing in your hand” lol I even convinced one of my coworkers to get chipped and start using it as well. Now I work in a MUCH more secure facility in IT and it uses the same badge system, and I only do it when no one is watching.