US body hacker turns people into cyborgs
Seattle start-up founder says implantable chip can 'open your doors, your cars and your computers' and has had chip in his left hand for 11 years
A growing community of amateur "body hackers" are using chips the size of a rice grain, injected into their hands and wrists, to unlock their computers, buzz in at work and open the doors to their homes. The one thing they have in common — aside from a desire to be among the first generation of cyborgs — is a small Seattle start-up called Dangerous Things.
Dangerous Things designs, sells and, in rare cases, installs its own line of implantable radio-frequency ID chips. It was founded by CEO Amal Graafstra , a man of some repute in the body-hacking world who rose to prominence in 2005 after implanting an RFID chip into his left hand — a chip he still uses to unlock the door to his house.
After installing his own chip, Graafstra said he fielded emails from other people interested in implanting themselves. Eventually, it got to the point where he thought he could make a real business out of sourcing and selling RFID chips, and in 2013, Dangerous Things was born.
"I needed a way to help people out who were contacting me and make it worth my while," said Graafstra. "Our premise here is to upgrade your life. Open your doors, your cars and your computers [with a chip]."
It sounds strange, and perhaps even a little dangerous, but RFID technology already surrounds us. RFID works by emitting radio waves to transmit information. It's how employees with key cards access their buildings and how retail stores track their inventories of clothing. Some RFID chips — like those inside U.S. passports — are passive, meaning they don't emit a signal unless they're near a receiver that accesses information stored on the chip.
Other RFID chips — like those inside the E-ZPass devices drivers use to bypass toll booths — are active, with internal batteries that transmit signals over several hundred feet.
But the convenience and functionality of RFID chips that body hackers espouse could also be exploited for dangerous purposes. Already, implantable medical devices are at risk. A recent Forrester Research report predicted that 2016 would be the year hackers used ransomware to hijack a person's pacemaker or other medical device.
Cracking into an implanted RFID chip is a trickier proposition, but a hacker intent on stealing even encrypted or password-protected health or financial information stored on an implanted chip could do so. Combine the information taken from an RFID chip with GPS data pulled from a person's smart phone, and the danger grows.
"If RFID is combined with location, you'll have a good idea of what somebody is doing at any given time. We become the beacon," said Michelle De Mooy, deputy director of the Privacy and Data Project at the Center for Democracy and Technology.
When it comes to making these implantable chips, Dangerous Things does a mix of factory and in-house manufacturing. In its first year, the company sold 500 RFID chips. Since, Graafstra said his bootstrapped company has sold more than 10,000 implantable RFID chips and the do-it-yourself kits to install them under the skin to people around the world. It's not a venture-backed company; the only funding raised was a US$30,000 sum from an Indiegogo campaign in 2013. But Dangerous Things sold US$150,000 worth of implantable chips in 2015 and US$100,000 worth the year before, Graafstra said.
Doctors won't install these chips, so for people interested in a chip but too squeamish to install one on their own, Dangerous Things partners with and trains body piercers worldwide on how to inject RFID chips. Most often, people inject chips into their hands between the thumb and index finger. Each RFID chip kit sold by Dangerous Things — including the tag itself, plus the antiseptic and injection supplies needed to install it under the skin — is relatively inexpensive.
Jack Kingsman purchased his kit for $100 in April 2015. The chip Kingsman injected into his left hand was a near-field communication tag, a type of RFID chip that makes transactions via Apple Pay or Google Wallet possible.
Kingsman knew exactly what he would use the chip for: storing a lengthy password for accessing his computer. "I would touch my hand to a receiver I constructed that would read the data and input it to my computer, allowing me to store a pass phrase significantly longer than one I would be able to remember and type by hand," said the 20-year-old computer engineering student at Santa Clara University.
For body hackers like Kingsman, the thrill of experimentation or the seamlessness of what RFID chipping lets them do is often enough to make up for what looks like, at least to the average Joe, more of a hop than a leap in convenience. While RFID chips, in theory, can hold whatever information a person wants on them — passwords to their email and Amazon accounts, credit card information, medical records — in practice they're used today for only a limited number of functions.
"It's like a chalkboard: You can write whatever you want on it, but if nobody can read the language, it's useless," Graafstra said. "People have wanted to use [chips] for storing medical records, but there's no protocol around it. No doctor would know to scan it."
One company, VeriChip, already tried it last decade. VeriChip's idea was that a chip — paired to a unique ID number and storing a patient's medical records — could be used by a doctor to access a person's medical information in emergencies where the person was incommunicado, and in 2004 the company became the first to win Food and Drug Administration approval for an implantable RFID chip. But two years after VeriChip received FDA approval, an editor at Wired had the device implanted in her arm — and then wrote about a self-taught hacker using a homemade device to swipe the ID number off her VeriChip, giving him potential access to anything the VeriChip was linked to, including medical records.
Several years later Wisconsin, North Dakota and California, citing privacy concerns over the "tagging" of humans, passed laws that banned the forced implantation of RFID chips in humans, legislation championed by the American Civil Liberties Union. By 2010 the VeriChip was discontinued.
Adherents to the body-hacking way of life, however, don't seem too worried about a bad actor using an RFID reader to swipe information off their implanted chips.
"I don't worry about it being swiped, because in order to read the chip, you have to be within a few millimeters [of it], and it takes a couple seconds to read," said Trenton Adams, a computer software consultant in Georgia who uses one implantable chip for buzzing in at work and another for storing his emergency contact information. "It'd be very noticeable if someone was trying to scan the chip."
But why anyone would need a chip inside them to open a front door when a key already suffices is a question pondered by people who aren't body hackers.
"It's an illogical use of the technology. It just doesn't make any sense," said Pam Dixon, executive director of the World Privacy Forum, where she has researched RFID technology.
As Dangerous Things continues to grow — the company has a team of five employees, including Graafstra — it's the skeptics to implantable chipping technology they'll look to win over. In March, Graafstra was at the CeBit Fair in Germany promoting his company's latest implantable chip, the Uki. It's a chip Graafstra said will allow people to do much more than just open doors to cars and office buildings or log into websites and computers.
"It's like a small computer in an implantable device. And on that computer, you can load through your smartphone different apps," he said.
According to Graafstra, the Uki will let people make online purchases in bitcoin by tying their bitcoin wallets to the implantable device, as well as allow people to store and send encrypted, secure email messages. The chip doesn't go on sale until the fall, but Graafstra is confident it'll work the way it's supposed to: He already has one implanted in his wrist, in addition to two other RFID chips he has implanted in his hands since getting his first chip in 2005.
"Getting one of these transponders implanted in your hand is less risky and less time consuming than getting an ear piercing, and you've got this extremely functional device that's simple to remove," he said. "The question really comes down to: Why wouldn't you do this?"