XSIID Security thoughts

SoEinBasti · August 28, 2022, 9:38am

Hi,

I recently got my first implant and I really love it.
Currently I only use it for my digital business card, but I want to expand the use to a digital door lock and to login in my PC via KBR1 reader.

Since both of the later two use cases rely on the UID I am a little scared about the security factor. Whenever somebody scans my implant for the contact info, they could easily record the UID and therefore have my login password and the possibility to gain access to my door

Is there any way to lessen this possibility without stopping the business card usage or only use it for this function.

Best regards and thank you for your help

optedoblivion · August 28, 2022, 12:19pm

Get a different implant for contact info and access? I have an xSIID but plan for something I can change the ID on for house access. E.g. xM1 or xEM.

Edit:. Well the xEM isn’t HF so won’t work with kbr1

SoEinBasti · August 28, 2022, 2:11pm

Yeah, the XM1 sparks my interest anyway. But even then if other members of my household use a key fob I would have the same problem again with the UID…

optedoblivion · August 28, 2022, 2:27pm

If other members use a key fob then the UID doesn’t change on the keyfob.

my plan is to do something like

1 xM1 for me so I can reprogram the UID with proxmark3

And magic rings for the family. Which is the same thing but not injectable. Additionally the ring could go on a neck chain. Or if you find a fob capable of cloning UID

SoEinBasti · August 28, 2022, 2:40pm

I am more scared that somebody scans the UID of the fobs from family members (kids especially) and could gain access to my house in worst case

mfries18 · August 28, 2022, 4:21pm

Your biggest ally in this case is security through obscurity; don’t let anyone who you don’t trust know that your UID is your password, and if someone who you don’t trust does know that connection between you and your password then make sure they can’t scan your tag(pretty easy to do, especially with an x series tag, just keep your hand away from them)

ethan_rose · August 28, 2022, 7:36pm

That’s where the newer cards such as Desfire EV1/EV2 would help you as they are not able to be cloned (currently). This obviously requires a compatible reader and these usually come from security/automation channels ($$$$), therefore can’t really be a roll your own solution as far as I know.

It may help to think about your threat model a bit more carefully before making any changes, since most houses would be far more easily accessed by just smashing a window or breaking the door jam.

Equipter · August 28, 2022, 9:17pm

the way i do this is i don’t use the kbr1 printed uid as the whole password i use it as a suffix.

i do: [chosenpassword]{scanned uid}