Hi guys. I recently implanted an xDF2 and am using it to store (in NDEF plaintext) the secret key to my password manager as well as some recovery codes for various internet accounts. In the interest of enhanced security, are there any steps I can take to protect this information from being stolen?
Cheers
Well, the elephant in the room: don’t store it in plain text as a NDEF record…
LOL yeah… I recognize it’s not the most ideal setup, which is why I’m trying to tighten things up a bit.
Do you think using the chip to store a secret key to an encrypted file (containing the info I am storing now) would be more secure? I originally came to the chip to ideally have that information offline.
The thing is, if everybody and their dog can read your chip as easily as you can, there’s no point in adding extra doors when the key to the whole castle is hanging in the breeze on a hook outside. That’s what I meant: readily readable information - be it NDEF records, UIDs and whatnot - are only “secure” if you don’t tell anybody you have a chip and what it contains (security through obscurity), or you’re awake and quick enough to punch someone who tries to read your chip surreptitiously in the face before they manage to do it (security through Mohammed Ali). That is, not very secure at all.
What you want is 2FA, one of the factors being a challenge-response exchange with the chip, and the other is a PIN or something else that doesn’t depend on the chip. But of course the technical implementation is more complicated and less ubiquitous.
A mitigation strategy if you insist on keeping all that stuff as a NDEF record is to add a PIN that stays in your brain at the end of the record. Or said another way, your NDEF record holds a partial code to your encrypted file, and the rest of the code is your PIN. The encrypted file can only decode with the NDEF record and the PIN concatenated to each other.
Another mitigation strategy is to apply some kind of “recipe” that only you know. For instance, say your apparent secret code in the NDEF record is 12576 (I know it’s short, it’s just an example) and the recipe is “add 1 to all the odd digits, and 2 to the even digits”. You can then read the NDEF record, but enter your real code manually, which is 24697. That way you don’t have to remember a mountain of digits, just the recipe.
It’s not ideal, but it’s better than what you do now if you care about security.
Doesn’t work 
I have chain mail shoes (for when I’m required to wear shoes, or I hike somewhere dangerous and I can’t stay barefoot) and I can read the chip in my foot through it just fine.
But that’s LF 
Haha, sorry, enough derailing from me 
Hmm yes, true dat… I’ll try to slip one of the shoes on my hand tonite, to try out the M1k. That’ll amuse me for 2 minutes.
Thank you for the feedback, I have a few ideas for implantation now.
You sent me down a rabbit hole with those shoes, and I’m interested in possibly picking some up. How many years can you expect to get out of a pair?
Also, a chip in your foot? First I’ve heard of someone doing that. Mind if I ask you what you use it for?
They’re not cheap, but they can be resoled (360 euros purchase, 60 euros resoling). The resoling consists in snipping out the worn out sole and attaching new chainmail to the rest of the shoe (done by the manufacturer in Germany - you mail them the shoes).
I’ve had them for years and they’re still going strong. The pads show no signs of quitting (I have the Anterras, which have rubber “paws” - the bare chainmail soles are too slippery on tiles, and too rough on wooden floors). Some heavy users have had theirs for even longer, and resoled them many times.
Having said that, nowadays I don’t wear them much. I just keep them rolled up in my backpack in case I encounter terrain so rough it’ll defeat my own soles, or some store or restaurant wants to throw me out for not wearing shoes - neither of which has happened to me in years.
Right now, just logging into my computer at work. I’m working on other uses, such as opening my van’s backdoors with my foot, starting my car by stepping on the gas pedal, and stopping the engine by lifting my foot off of it. But that’s in the works, as I’m waiting for some hardware to make those things, and I have other projects on my plate.
See here.
Not trying to pimp out my own shit or anything, but I honestly had the same exact concern as you, which is why I started making BioCom in the first place.
Just download the OpenKeychain application and make yourself a set of keys (even better if you’ve got a Vivokey). Then encrypt the text you want secured to your own PGP key. Then just write it to your implant (writing something like this work’s great with BioCom). Then whenever you scan your xDF2, BioCom will intercept it and prompt for decryption with OpenKeychain, like this.
Super quick and simple. I use it all the time and store all my bank info, passwords, etc on one of my implants like this. No better place to keep your data!
Your own shit deserves to be pimped out if it’s good. No shame in that.
Looks like a stellar solution. Any plans for an iOS port?
Not at the moment. I’ve actually got a good amount of experience in cross-platform development in C# (Xamarin), but I don’t think it would be feasible to have something like this work very well in that framework (hence why I just used Java), as iOS/Android handle NFC stuff too differently, and I don’t have the time to learn Swift/Obj-C.
If anyone out there does know iOS development well enough though, I would love to try and aid in making some kind of port.
I got a guy…
