Article Details

Release the hounds! Securing datacenters may soon need sniffer dogs. Nothing else can detect attackers with implants designed to foil physical security. Sniffer dogs may soon become a useful means of improving physical security in datacenters, as increasing numbers of people are adopting implants like NFC chips that have the potential to enable novel attacks on access control tools. So says Len Noe, tech evangelist at identity management vendor CyberArk. Noe told The Register he has ten implants – passive devices that are observable with a full body X-ray, but invisible to most security scanners. Noe explained he's acquired swipe cards used to access controlled premises, cloned them in his implants, and successfully entered buildings by just waving his hands over card readers. Unless staff are vigilant enough to notice he didn't use a card, his entrance appears to be a normal, boring, instance of an RFID being scanned. But like most electronics, Noe's implants include a chemical called triphenylphosphine oxide that’s used to coat circuit boards to prevent them from overheating. Sniffer dogs have already been trained to sniff out the chemical to detect electronic devices. Noe thinks hounds are therefore currently the only reliable means of finding humans with implants that could be used to clone ID cards. He thinks dogs should be considered because attackers who access datacenters using implants would probably walk away scot-free. Noe told The Register that datacenter staff would probably notice an implant-packing attacker before they access sensitive areas, but would then struggle to find grounds for prosecution because implants aren't easily detectable – and even if they were the information they contain is considered medical data and is therefore subject to privacy laws in many jurisdictions. Noe thinks plenty of other attacks could be mounted using implants. He outlined a scenario in which a phishing mail is stored in an NFC implant – an attacker gains access to a victim's smartphone, uploads the mail, and sends it. Hardy anyone checks their Sent mail file, he noted, and mails sent from known good corporate inboxes are less likely to be considered a risk. Happily, Noe believes that only 50,000 to 100,000 people worldwide have had electronics implanted in their bodies, and perhaps one percent of those have the tech or the capability to use them for evil – rather than applications like keyless entry to a Tesla. But he told The Register he's aware of red teams adopting the tech, with some success, and pointed out that cyber-crims are always looking for new tools. He also feels that the issue of implants being used as a weapon deserves some consideration as brain-computer interfaces like Neuralink evolve. In the here and now, Noe explained that tools to defeat implants are already available in the form of multi-factor authentication. He suggests that datacenters require a combination of a card swipe and a keyed code, or biometrics, to defeat implant-packing attackers. And maybe consider going to the dogs, too – in the best possible way.