xNT Security Use-Case - Any big attack vectors?


I’ve been looking into an implantable RFIT chip for a while, and I think I am ready to get the xNT, but I had a couple of questions.

First, I intend to use the chip to store encryption key(s) for a few applications. My concern with this is that the keys data could be read by an attacker. I understand that this would require an attacker to have near-physical access to the implant, but it is still something I would prefer to avoid.

I read a post on read-only access ( Can my xNT be easily set to read-only?) and your response and am curious about the #3, password protected reads/writes feature. My understanding is that if I implemented this, and protected the encryption key reads with a password, then the following use case would be possible.

  1. Encrypt something on a computer (say a Bitcoin wallet) using a private key (pkey)
  2. Create an NFC password (pwd).
  3. Connect an NFC reader/writer to the computer and write the pkey to the xNT.
  4. Use the process outlined in the above post to make the xNT user-memory only readable with the pwd.
  5. Create a script that does the following:
    A. Asks user for password
    B. Interfaces with NFC reader/writer to send pwd to chip.
    C. If authenticated, chip allows pkey to be read.
    D. Send pkey to encrypted container (such as Bitcoin wallet)

Assuming good security on the machine, there are not any passive attack vectors here, correct? In order decrypt the vault, an attacker would need both the pwd of the xNT chip, and access to the chip itself. The only real weak point of this seems to be the reader, which could be modified to record the pwd as it is being sent.

I’m a software engineer, so the programming part won’t be difficult, but I’m a little new to encryption and NFC security features. Just want to rule out any obvious weaknesses for using the xNT for authentication.

Also, any recommendations on USB reader/writer that would work with both Windows and Linux?


1 Like

This will be a problem with every type of RFID or NFC chip type, except VivoKey.

Password protections do work to ward off a momentary, casual attack… but it will do nothing for a deliberate attacker. The password is sent in the clear from reader to tag, so any attacker can simply listen to that interaction to get the password, or they can scan your UID, present it to the reader, the reader gives the password to the attacker, and they can re-scan your xNT, authenticate, and get access to the protected memory pages (and change your password or fuck up your configuration bytes).

So, assuming your machine is physically and digitally secure, and the password is only ever used with that machine, your plan should be fairly secure.

I’d get the ACR122U reader. It has drivers for both Windows and Linux.