XSIID Security thoughts


I recently got my first implant and I really love it.
Currently I only use it for my digital business card, but I want to expand the use to a digital door lock and to login in my PC via KBR1 reader.

Since both of the later two use cases rely on the UID I am a little scared about the security factor. Whenever somebody scans my implant for the contact info, they could easily record the UID and therefore have my login password and the possibility to gain access to my door

Is there any way to lessen this possibility without stopping the business card usage or only use it for this function.

Best regards and thank you for your help

Get a different implant for contact info and access? I have an xSIID but plan for something I can change the ID on for house access. E.g. xM1 or xEM.

Edit:. Well the xEM isn’t HF so won’t work with kbr1

Yeah, the XM1 sparks my interest anyway. But even then if other members of my household use a key fob I would have the same problem again with the UID…

If other members use a key fob then the UID doesn’t change on the keyfob.

my plan is to do something like

1 xM1 for me so I can reprogram the UID with proxmark3

And magic rings for the family. Which is the same thing but not injectable. Additionally the ring could go on a neck chain. Or if you find a fob capable of cloning UID

I am more scared that somebody scans the UID of the fobs from family members (kids especially) and could gain access to my house in worst case

Your biggest ally in this case is security through obscurity; don’t let anyone who you don’t trust know that your UID is your password, and if someone who you don’t trust does know that connection between you and your password then make sure they can’t scan your tag(pretty easy to do, especially with an x series tag, just keep your hand away from them)

That’s where the newer cards such as Desfire EV1/EV2 would help you as they are not able to be cloned (currently). This obviously requires a compatible reader and these usually come from security/automation channels ($$$$), therefore can’t really be a roll your own solution as far as I know.

It may help to think about your threat model a bit more carefully before making any changes, since most houses would be far more easily accessed by just smashing a window or breaking the door jam.

1 Like

the way i do this is i don’t use the kbr1 printed uid as the whole password i use it as a suffix.

i do: [chosenpassword]{scanned uid}

1 Like