Trust Issues

In our cyber world identities are typically split into two distinct categories: human and machine. But there's one notable intersection: cyborg. On today's episode, host David Puner talks with Len Noe, technical evangelist, white hat hacker – and CyberArk's resident transhuman.

What is Trust Issues?

When your digital enterprise is everywhere, cyberattackers don’t need to scale walls or cross boundaries to breach your network. It takes just one identity – human or machine – from a sea of hundreds of thousands to get inside. It’s no wonder we have Trust Issues. Join us for candid conversations with cybersecurity leaders on the frontlines of identity security. We break down emerging threats, hard-won lessons, leadership insights and innovative approaches that are shaping the future of security.

[00:00:00.250] - David Puner
You're listening to the Trust Issues Podcast. I'm David Puner, a Senior Editorial Manager at CyberArk, the global leader in identity security. In our cyber world, identities are usually split into two distinct categories, human and machine. But there's one notable intersection, cyborgs. When I say cyborgs, it may conjure images of bigger than life fictional characters like the Terminator RoboCop and Darth Vader. Six Million Dollar Man for all the Lee Majors fans out there, you're this podcast sweet spot. But in reality, though, cyborgs are out there, and they're much subtler than the stuff of science fiction thus far and good and evil don't really figure in the actual parameters of what a Cyborg is.

[00:00:59.560] - David Puner
Being a Cyborg means someone is comprised of both biological and technological components, so they've got parts they weren't born with. Human made parts. It's the intersection, quite literally, of humans and machines. So, yes, at some level, someone with a pacemaker can be considered a Cyborg out of necessity. Then there are the cyborgs by choice, humans who have elected to implant some form of technology into their bodies, like biomagnets and RFID or NFC chips. Perhaps it's to make contactless payments, open physical office doors, unlock infrared vision, or who knows what.

[00:01:37.990] - David Puner
The possibilities seem pretty significant and depending on the usage, the ethical implications could be too. There's a lot of potential for this stuff, and with our smartphones practically already surgically attached to our hands, it doesn't seem too far fetched that phones capabilities might someday soon be accessible via implant for the sake of convenience, of course.

[00:02:03.010] - David Puner
Today I talk with Len Noe, technical evangelist and white hat hacker at CyberArk and our own resident cyborg or transhuman, or at least that's how he describes himself. To bring multiple proof points to that description, he has a lot of things implanted inside his body. It's all in the name of research and cybersecurity advancement. No, it's not a job requirement. No, it's not futuristic science fiction. He has undergone a series of bio implant procedures to become more than human, as he says, and along the way, delve deeper into the mind of an attacker.

[00:02:43.970] - David Puner
What does it mean to be transhuman?

[00:02:46.170] - Len Noe
The term transhuman was actually coined by a gentleman named Julian Huxley back in the 1950s, and his philosophy and the philosophy of all of his followers and myself included, is any individual who wants to utilize technology to enhance the human condition. Very simply put, I am an augmented human being that has decided to take advantage of technology to actually turn my body into the attack vector. This makes me a little bit different than a standard white hat. I've actually implanted seven different microchips underneath my skin for the purposes of offensive security.

[00:03:30.110] - Len Noe
Where this makes me a little bit different is if I'm going to try and say, compromise your mobile device. Without these implants, I would need some type of tool. I would need some type of chip that I could hold, something I would physically be able to be detected with. The same thing when it comes to trying to compromise physical access locations, the idea of compromising access cards has been around for over a decade. But the issue is there was always some type of IOC. Either I would have a Proxmark or I would have a cloned card in my hand that if you as a security professional, found me in a restricted area, you could search me, you could find out how I got in.

[00:04:13.190] - Len Noe
What makes me that much more dangerous is I can compromise that mobile device, I can compromise those physical locations and if you find me, all I got to do is say that somebody left the door open. There's zero indications of any compromise because all of the technology used for these offensive purposes is actually beneath my skin.

[00:04:33.560] - David Puner
So I guess to back this up for a second, we've already done the reveal here, which is that you've got devices implanted within your body. Why don't you take us through how that started and why?

[00:04:46.390] - Len Noe
Why is the easy part. The why is because I'm a hacker and to quote the mentor who is one of the original hackers, he said, "yes, I am a criminal. My crime is that of curiosity." So I've always just been a very curious person, started with tattoos, went to body piercings. So this kind of stuff just really is not that big a deal for me from like, oh, you're going to cut yourself or you're going to modify yourself? I've been doing that since I was literally 14 years old. Being a hacker, I'm always looking at things from the perspective of, yes, this is what it's original use was, but what can I make it do?

[00:05:36.760] - David Puner
When did you get that first implant and how have they progressed since that first one?

[00:05:42.450] - Len Noe
The first one I got was about two and a half, three years ago. It was a bioglass encapsulated combination, NFC and UFC chip. It's in the webbing of my hand between my thumb and my first finger. That was, I think, the easy way to start because when it comes to the installation...I love that term, installation of the implant. It was a very low medical entry point. If you've ever seen somebody get their ears pierced with like a body piercing style, it's just a little bit of a bigger needle, that's all it is. The chip itself came pre loaded into a syringe. I found a body modification artist that was licensed through my State, made an appointment, and honestly, the procedure took less than a minute.

[00:06:38.150] - Len Noe
Where they've gone from there? I have moved away from the bioglass encapsulation because they're very easy and it's a really easy way to step into becoming transhuman. But the efficiency for what I wanted to use it for just wasn't there due to the minimal size of the antenna. It works but you really have to be almost sitting right on top of the receiver in order to get it to read properly.

[00:07:05.490] - Len Noe
From there, I moved into what are called flexible membrane implants. They require an actual surgery, so it's an incision. There are dermal elevators. You have to separate the skin from the dermal underneath, make a pocket, insert the device, and then get stitched back up.

[00:07:28.800] - David Puner
That's a significant deal.

[00:07:31.010] - Len Noe
Oh, it is. It really is. All of the implants that I have have legitimate use cases. I have NFC, RFID. I have the ability to interface with almost every type of contactless security badging, HID indala, pyramid, prox. I have chips that can address all of those. So for me, I use these as tools for offensive security. I have the ability to compromise mobile devices simply by holding them. I released three attack vectors at RSA last year. Handshake, flesh hook, and leprosy. You got to have a little fun with your naming. I'm going to hold your device and infect you by holding it. I've even come up with a way that I can actually distribute ransomware and potentially crypto miners to mobile devices through mere touch. That's a little teaser so stay tuned, the biohacker marches on.

[00:08:31.970] - Len Noe
But the advancement of my microchips is essentially me wanting to expand the use cases and functionality that I currently have. One of the things that I wanted to just point out real quick is all of the implants that I currently have and this is the issue with all consumer grade implants at this time. They're passive, so they have no internal power at all. They get their power from the readers or the receivers. So I really do expect to see commercial grade implants that might be out on the market here very soon that can actually have an internal power source, that can be recharged without having issues of worrying about heavy metal poisonings or any type of leaking.

[00:09:16.170] - David Puner
Do you worry about any of that kind of stuff? Now, what could be leaching in your body with these implants?

[00:09:22.280] - Len Noe
I've lived a pretty crazy life. The fact that I'm even here, I think, is a testament to how stubborn I am. But no, I've lived an amazing life. I've been working with reputable companies, and I do think that this is the direction that we're going to be moving towards in the future. I'm waiting on an implant right now that I've already purchased. It's called the Wallet More. This is an implant that will give me the same abilities to do tap to pay like you can do with a credit card, Apple Pay, or Android wallet. The other thing is there are so many more augmented humans out there that most people don't know, and I'd be willing to bet most people know somebody they just don't know it personally because there is a very large stigma around augmented humans.

[00:10:11.610] - David Puner
Are you also including in that conversation people who have pacemakers or are you talking about-

[00:10:20.190] - Len Noe
I'm completely removing people that are augmented from a medical perspective. I'm talking about people like myself that have actually decided to modify their bodies with no medical type of reasoning behind it. Sweden actually is one of the most accepting of this. The Swedish people have done more to push forward the concept of integrating technology with humanity than anyone else in the world.

[00:10:48.460] - David Puner
In Sweden, are there ordinary, average people who -

[00:10:53.170] - Len Noe
Pretty much most people. Oh, yeah. They have an option where you can actually get a microchip implant that would essentially be your Social Security card, your medical history, ID, all of that it's, and all contained within a microchip.

[00:11:09.840] - David Puner
There are probably a lot of ways that having this technology implanted on you can potentially go, I guess one could call it sideways. Another way of calling it is, if these things get into literally into the wrong hands, there's all sorts of ramifications for cyber attacks and ransomware and that kind of stuff. That's why you're doing this, to get into the head of potential attackers, right?

[00:11:34.820] - Len Noe
I think like an attacker on pretty much everything I do. I'm one of those guys that when I walk into a room, the first thing I'm doing is I'm looking where are the doors? Are there security cameras? I'm just a very spatially aware person. If I can think about these types of ways of misusing these products, then I guarantee I'm not the only one that's thought that. Do I think that augmented humans are going to be an immediate threat within the next 30, 60, 90 days? Possibly. I mean, if I'm doing it, there are other people out there. But what scares me more is the idea that people may not even realize that these types of attack vectors exist.

[00:12:14.800] - Len Noe
One of the things that I've said from day one is how do you stop an attack that you don't even know is happening, or you don't even have any type of rationale that it's even feasible? As security professionals, we all understand the ideas of locking down USB drives, or you're going to have antivirus, you're going to have malware protection, you're going to have IDs, you might even have AI. But how do you deal with somebody like me who I can compromise a loosely connected device just by holding it. There's my initial foothold. If you're using that phone for work, you're using it for your banking, if you're VPN, and I've already got a presence on that device, that's my foothold into a larger attack.

[00:13:01.480] - Len Noe
I think a lot of this comes back down to just a straight concept of identity. I like to bring this up when I'm talking about the augmented human concept is, what makes somebody a human? Is it your DNA? Is it your Iris? Is it your fingerprint? Is it your face? Is it all of the above combined? You say, yeah, there is a potential issue when it comes to having these types of implants. But just like we look at technology in general, this is going to happen and continue to advance whether we, as security professionals, want it to or not. All we can do is try and be aware of these types of issues and get in front of them and negate those initial entry points.

[00:13:45.350] - David Puner
So from the time that you started doing this to now, how have you seen this space, the implant space evolve? That's, I guess, both on the technology side, but also on what kind of things attackers are doing with them.

[00:14:01.870] - Len Noe
Well, to be honest, there hasn't actually been any disclosures of anyone using these in an actual attack. In terms of what I've seen advancing, oh, my gosh. Tesla is dealing with the neural link, and I'm not trying to shoot them down. There's been a lot of results that have come out recently in terms of their research. It's still, in my opinion, very premature in terms of thinking that we're all going to have a chip put into our head sometime soon. But the fact that they're getting some success is encouraging. There are products out there that are on the horizon, called things like the Will it and the Neurogreen.

[00:14:46.250] - Len Noe
These are two products. One of them is a Bluetooth transmitter and receiver that actually can take its power from the air, so it doesn't need any type of internal batteries. The other one, believe it or not, is an implant that is a Wi-Fi transmitter and receiver. Let's say we were sitting in the same room and you needed Wi-Fi and the guy next to me had Wi-Fi. He would give it to me, and then I could share it to you, same way you would in a mesh Wi-Fi network.

[00:15:14.030] - David Puner
That's fascinating. If it's strong Wi-Fi, I'd be interested.

[00:15:17.660] - Len Noe
Oh, yeah. My thing is, it gives the old expression of, I'm going to hack my neighbor's Wi-Fi a whole new meaning.

[00:15:24.030] - David Puner
Right.

[00:15:25.850] - Len Noe
But even from a medical perspective, there was a gentleman that was paralyzed, and they basically attached an implant to a spinal column, and he's gaining some movement. There's another gentleman, if you look up cyborgs, I'm not the first guy that pops up. But the one that is an artist who's blind, but they actually have a brain implant that allows him to essentially see colors. Technology is going great.

[00:15:57.720] - David Puner
It's really interesting to think that we have the potential to just walk out the door without a phone, without a wallet, whatever it may be and we can just use the chips in our own body to pay for things and to start our cars and open our garage doors.

[00:16:14.450] - Len Noe
There's actually the ability to get an implant if you have a Tesla Model Three, and you can just put that in your hand, it runs off of the valet side. It's not the original master key, but it's a valet key that you can program into a chip and then implanted into your hand, jump in your Tesla and just drop. You never have to worry about losing your keys again. To that point as I said, these chips are in a passive state, so if I get near a reader, they're going to read whether I want it to or not. So just to protect myself and other people, I keep my tags empty most of the time. But if I'm going someplace where I have any type of concerns say black hat def con, someplace where somebody may want to try and attack and hack me, I actually have some leather gloves that I had deconstructed and then lined with Faraday fabric just so that I can turn my hands off.

[00:17:09.490] - David Puner
It also brings to mind, how do you explain this when you're going through airport security?

[00:17:14.810] - Len Noe
To be honest, I've never had to. Don't quote me on this. It was a long time ago, but I used to do the job of TSA before there was a TSA when the airport security was privately contracted. So good Lord, I think I just carbon dated myself. But the magnetometers in the standard archway metal detectors, at the time I was working there, I think they said that the total metallic mass that would set it off had to be equal to a 38 caliber bullet. It was actually a pretty significant amount of magnetic pole that needed to happen against the object and all of the microchips that I have implanted currently do not actually have enough metal in them to trigger a metal detector.

[00:18:11.990] - Len Noe
I have been through a couple of different full body scanners, the stand up stick your hands over your head Xray machines and not just within the United States, and none of them have ever found them. So I don't know if that's a testament to the lack of anything exciting that the metal detector could detect, or if it's more that the metal detectors are just not that good.

[00:18:41.190] - David Puner
One thing I wanted to ask you, is this at all similar to technology that are in our dogs and cats?

[00:18:48.470] - Len Noe
Honestly, yes. I'm not going to lie and say that it isn't. Most of the time, the microchips that are implanted in dogs and cats are just simple NFC Tags that you can put your ownership information on. I'm using the exact same technologies. Technically, you can scan my implants with the same receivers because it's all operating over the same protocols.

[00:19:10.640] - David Puner
So it would sound like from what we've talked about, and we don't want to scare folks because that's not what we're here for. But if a stranger asked to borrow your phone to make a call, this is another incentive to not do that?

[00:19:24.000] - Len Noe
No. Let me just ask you this. If I walked up and said, hey dude, can I borrow your wallet for a minute? You'd look at me like I was crazy.

[00:19:36.140] - David Puner
I probably would, yes.

[00:19:37.410] - Len Noe
Or if I walked up and said, hey, can I see your birth certificate and your Social Security card for a few minutes? You'd never let me do that but if we look at the information that's on our mobile devices, it's just as dangerous if that gets out, if not more dangerous. I tell people, if this was a birth certificate, if it was the deed to your house, if it was the deed to your car, if you wouldn't hand that to somebody and just let them have free access to it, why would you ever let somebody have the wealth of information that's contained in your mobile device? If you really want to know why, if you do a search for my biohacker, The Invisible Threat, or take a look at the Cyber Arc, Think Like An Attacker series from last summer. You'll see, all I need is the phone in about a minute and a half and I'm in the device before I've even walked away from you.

[00:20:37.160] - David Puner
Where is this all going in the near future?

[00:20:39.330] - Len Noe
Where is it going in the future? I think. Let me answer what I'm going to be doing next and circle back to the first question. I've got three more implants that I've already ordered and I'm just waiting on delivery. Thank you supply chain issues, but they will be that wallet more, so I will have the ability to do tap to pay. I'm replacing the large implant in the top of my right hand with a newer version with more functionality. The wallet more, I think is going to do a lot for the stigma around shipping.

[00:21:15.410] - Len Noe
It's difficult to try and find really good use cases for these unless you're really on the geeky technical side. I have an RFID lock on my office. If you want in, you better have a chip or you're not getting it. I've seen a lot of people use these for shared garages or if they're in a gym and they don't want to have to worry about taking a little key fob to get into the gym. I've seen a lot of standard use cases, but they're still very isolated and kind of niche. I think once people get over the shock of seeing somebody do this a couple of times where it's like, hey, let me take care of that and just high five your credit card reader.

[00:21:58.370] - Len Noe
But I think this is going to do a lot to try and get people to understand that there are augmented people. It's going to become a little bit more socially acceptable. Then I think a lot of the people that are already trans-human are going to start coming out of the woodwork. Beyond that, I'm really planning on going off the reservation. I've got a couple of different choices. My original plan was, I was going to take a single board computer, a Raspberry Pi Zero W. I'm working with Dangerousthingss.com out of Seattle, Washington, and their CEO, Amalga Rofstra, and he's helping me with getting these things properly bio encapsulated.

[00:22:43.400] - Len Noe
They have an indirect power receiver on them. So it's about the size of a stick of gum, maybe about two and a half, 3 mm thick. This will actually be surgically implanted into my upper thigh, right below where my jeans pants pocket will be. The reason being -

[00:23:06.230] - David Puner
Bio encapsulated, meaning?

[00:23:08.550] - Len Noe
Bioplastic. If you were to take a look at Pacemakers or any type of device that you're going to put inside the human body, you'll find that they'll either be encapsulated in glass or they'll have a plastic encapsulation around them to keep the body separated from the technology. Otherwise, you would have issues with heavy metal poisoning, things that are in the circuit boards that would actually leach into the body and cause health issues up to and including death.

[00:23:45.990] - David Puner
Right. For people who are listening to this wondering, how could they do this or when might they do this, is this going to be the kind of thing where you go to your doctor and just say, hey, I need this thing implanted? What's going to happen?

[00:24:02.940] - Len Noe
No. Actually doctors are very against us. I had a small bit of a medical issue when I had the large implant put in the top of my right hand. It was my own fault. I didn't follow my professional advice and get on some anti inflammatories the day before my procedure and I didn't get on them until about two days after my procedure. A lot of swelling actually looked like I had a softball on the top of my hand. So I went to a doctor to try and get some prescription grade anti inflammatories. They took one look at me, realized that what I had done, and they were like, we need to schedule you for emergency surgery.

[00:24:42.930] - Len Noe
I was like, why would I want that? I just paid money to put that in there. So instead, I took a bunch of Advil and a lot of cold compresses, and about a week later, the swelling went down and everything's fine. I do not know of any medical professional that would be willing to even do an installation. Most of the time it's done through body modification parlors, places that do gauging, tongue splitting, scarification, and branding.

[00:25:10.860] - David Puner
So it is not mainstream just yet?

[00:25:13.220] - Len Noe
Oh, no. The other thing, the kicker is there's no anesthetic to any of this. So this is all done just plain up straight taking it, because when it comes to anesthesia of any kind, you need a medical license to be able to administer anesthetic. You basically just have to sit there, bite the bullet, and get it done if this is what you want. I don't see this being a really big thing over the next couple of years, but I do see with the fact that we're continuing to try and micro size and downgrade sizing of things and making things more convenient, I do think we are going to see more and more. Whether it's for a car key or maybe a house key.

[00:26:02.720] - Len Noe
The scary thing is, there is absolutely nothing in terms of legislation from a federal level. There's multiple States that have adopted essentially one of two different types of legislation at a State level. There is a general ban on all elective microchip applications and then believe it or not, there's actually been a couple of States where employers have tried to mandate microchipping for their employees for the use of time cards and attendance and that was struck down very quickly.

[00:26:37.710] - Len Noe
I have no problem with the idea of being a transhuman and augmenting myself but I don't think that this is something that anybody should mandate on another person. Different doesn't mean bad and yeah, I've spoken at length about the possibilities that an augmented could do to an organization or from an offensive perspective. We're all human beings at the end of the day and treat people the way that you would like to be treated.

[00:27:09.570] - David Puner
This has been a great first conversation with you on the podcast. Can't wait to continue and have further conversations about who knows what.

[00:27:17.570] - Len Noe
With me you never can tell. I like to live on the outside of the norm and I don't see that changing anytime soon.

[00:27:31.990] - David Puner
Thanks for listening to today's episode of Trust Issues. We'd love to hear from you. If you have a question, comment constructive comment preferably but it's up to you or an episode suggestion please drop us an email at trustissues@cyberark.com and make sure you're following us wherever you listen to podcasts.